June 20, 2014
Thousands Of Secret Keys Found In Official Android Apps
Peter Suciu for redOrbit.com - Your Universe Online
Security experts often warn that those who download and use apps – especially for devices that run on Google's open source Android operating system – should only use those that come from official and trusted sites such as Amazon and Google Play. However, even those apps could have a problem it was discovered on Thursday.
"Google Play has more than one million apps and over 50 billion app downloads, but no one reviews what gets put into Google Play—anyone can get a $25 account and upload whatever they want. Very little is known about what’s there at an aggregate level," said Professor Jason Nieh, a member of the University's Institute for Data Sciences and Engineering’s Cybersecurity Center, via a statement. "Given the huge popularity of Google Play and the potential risks to millions of users, we thought it was important to take a close look at Google Play content."
Nieh and PhD candidate Nicholas Veinnot presented a paper at the recent ACM SIGEMRICS conference, for which they were awarded the prestigious Ken Sevcik Outstanding Student Paper Award. It is reportedly the first paper to make a large-scale measurement of the huge Google Play marketplace.
The pair were able to make this measurement though PlayDrone, a tool they developed that utilizes various hacking techniques to circumvent Google security and successfully download Google Play apps and recover the apps' source code.
According to the researchers, PlayDrone scales through the addition of more servers, yet it is fast enough to crawl Google Play on a daily basis, downloading more than 1.1 million Android apps and de-compiling more than 880,000 free applications.
The two researchers discovered interesting facts along the way, most notably a critical security problem, which according to their findings was that developers often store their secret keys in their apps software. This is similar to traditional usernames/passwords and could be used by anyone to maliciously steal user data or resources from service producers including retailer Amazon and social network Facebook. Many of the apps with the vulnerabilities were designed by Google Play's teams as being "Top Developers" – as in the best developers on Google Play.
Moreover the researchers warned that those vulnerabilities could even affect users that are not actively running the Android apps.
"We've been working closely with Google, Amazon, Facebook, and other service providers to identify and notify customers at risk, and make the Google Play store a safer place," added Viennot. "Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future."
Nieh said that developers are already receiving notifications from Google that the apps should be fixed and the secret keys removed.
Finding the security vulnerabilities was a "happy accident" of sorts -- Nieh and Viennot expressed that PlayDrone could lay a foundation for other sorts of analysis. Already the technology has shown that roughly one quarter of Google Play free apps are clones or duplicative of other apps already available; while it has been used to identify performance problems in very slow app purchases in Google Play; and it was used to compile ad top 10 most highly rated along with top 10 worst rated apps on the Google Play site.
"Big data is increasingly important and Android apps are just one form of interesting data," Nieh added. "Our work makes it possible to analyze Android apps at large scale in new ways, and we expect that PlayDrone will be a useful tool to better understand Android apps and improve the quality of application content in Google Play."