PlayDrone Reveals Android Apps Store Secret Keys in Code
Popular Android operating system used on millions of mobile devices has once again been found vulnerable to a set of attacks. This time the attacks lie within Google apps inside Google’s application store, also known as the Google Play store.
Google’s open source network allows application developers to publish hundreds of thousands of unique apps each year. While Google is kind enough to let anyone create an application, a number of low-level developers have been found to have poor security implementation. One huge flaw newbie coders have been found to do, is store secret keys within the application itself, allowing cybercriminals to steal the keys and users sensitive files.
A team of security researchers from Columbia Universities computer science department uncovered a critical security flaw inside Google’s official application marketplace where millions of applications reside.
Researchers uncovered that a huge portion of Android applications have their secret keys stored inside the application code, such as usernames and passwords. This means with the developers lack of security implementations, an attacker could steam information or data from service providers such as Amazon, Facebook, or other high profile websites.
The vulnerabilities reside in poor security implementation inside Android applications, and can affect users even if they are not using the Android apps actively. “Top Developers” as named by the Google Play store itself are known to include such vulnerabilities inside their applications according to researchers.
The Google Play store holds millions of applications, from free to paid, and has resulted in over 50 billion application downloads.
“But no one reviews what gets put into Google Play—anyone can get a $25 account and upload whatever they want. Very little is known about what’s there at an aggregate level,” stated Jason Nieh, professor of computer science at Columbia Engineering, in his blog post.
Researchers have built and utilized a custom tool named PlayDrone, the first Google Play store crawler that uses various techniques to obfuscate or deceive security implementations inside Google’s Play store to prevent the indexing of its own store content.
“We have been working closely with Google, Amazon, Facebook and other service providers to identify and notify customers at risk, and make the Google Play store a safer place,” stated researcher, Nicolas Viennot. “Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future.
PlayDrone accumulated downloads over 1.1 million applications while in use, and decompiled over 880,000 free applications analyzing over 100 billion lines of decompiled code.
Security researchers have a set of instructions Google’s Play store should mandate in order to increase security measures. As cyber-criminals prey on weaknesses, such vulnerabilities inside applications are the motherload for malicious hackers.
Researchers note Google should mandate rules against poor security implementations and have a system to approve or disprove applications with poor security implementation. Currently there are no strict guidelines inside Google’s service that requires higher level security. It is noted Google should encourage and enforce security policies to put it as a top priority along with disapproving continuous poor implementation that will eventually lead to that developers license being terminated.
Whether or not Google with enforce any rules against data security in the Google Play store, the scale at which this vulnerability takes place is concerning to say the least.
