Featured Research

from universities, journals, and other organizations

Crucial security problem in Google Play: Thousands of secret keys found in android apps

Date:
June 18, 2014
Source:
Columbia University School of Engineering and Applied Science
Summary:
Researchers have discovered a crucial security problem in Google Play, the official Android app store. The study is the first to make a large-scale measurement of the huge marketplace, using PlayDrone, a tool they developed to circumvent Google security to successfully download Google Play apps and recover their sources.

Some of the secret keys, including Facebook and LinkedIn, were discovered by PlayDrone, a tool developed by Columbia Engineering researchers that uses hacking techniques to circumvent Google security to successfully download Google Play apps and recover their sources.
Credit: Columbia Engineering

In a paper presented -- and awarded the Ken Sevcik Outstanding Student Paper Award -- at the ACM SIGMETRICS conference on June 18, Jason Nieh, professor of computer science at Columbia Engineering, and PhD candidate Nicolas Viennot reported that they have discovered a crucial security problem in Google Play, the official Android app store where millions of users of Android, the most popular mobile platform, get their apps.

Related Articles


"Google Play has more than one million apps and over 50 billion app downloads, but no one reviews what gets put into Google Play -- anyone can get a $25 account and upload whatever they want. Very little is known about what's there at an aggregate level," says Nieh, who is also a member of the University's Institute for Data Sciences and Engineering's Cybersecurity Center. "Given the huge popularity of Google Play and the potential risks to millions of users, we thought it was important to take a close look at Google Play content."

Nieh and Viennot's paper is the first to make a large-scale measurement of the huge Google Play marketplace. To do this, they developed PlayDrone, a tool that uses various hacking techniques to circumvent Google security to successfully download Google Play apps and recover their sources. PlayDrone scales by simply adding more servers and is fast enough to crawl Google Play on a daily basis, downloading more than 1.1 million Android apps and decompiling over 880,000 free applications.

Nieh and Viennot discovered all kinds of new information about the content in Google Play, including a critical security problem: developers often store their secret keys in their apps software, similar to usernames/passwords info, and these can be then used by anyone to maliciously steal user data or resources from service providers such as Amazon and Facebook. These vulnerabilities can affect users even if they are not actively running the Android apps. Nieh notes that even "Top Developers," designated by the Google Play team as the best developers on Google Play, included these vulnerabilities in their apps.

"We've been working closely with Google, Amazon, Facebook, and other service providers to identify and notify customers at risk, and make the Google Play store a safer place," says Viennot. "Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future."

In fact, Nieh adds, developers are already receiving notifications from Google to fix their apps and remove the secret keys.

Nieh and Viennot expect PlayDrone to lay a foundation for new kinds of analysis of Android apps. "Big data is increasingly important and Android apps are just one form of interesting data," Nieh observes. "Our work makes it possible to analyze Android apps at large scale in new ways, and we expect that PlayDrone will be a useful tool to better understand Android apps and improve the quality of application content in Google Play."

Other findings of the research include:

• showing that roughly a quarter of all Google Play free apps are clones: these apps are duplicative of other apps already in Google Play

• identifying a performance problem resulting in very slow app purchases in Google Play: this has since been fixed

• a list of the top 10 most highly rated apps and the top 10 worst rated apps in Google Play that included surprises such as an app that, while the worst rated, still had more than a million downloads: it purports to be a scale that measures the weight of an object placed on the touchscreen of an Android device, but instead displays a random number for the weight

Good news for the hundreds of thousands of developers who upload content to Google Play and even more so for the millions of users who download the content.


Story Source:

The above story is based on materials provided by Columbia University School of Engineering and Applied Science. The original article was written by Holly Evarts. Note: Materials may be edited for content and length.


Cite This Page:

Columbia University School of Engineering and Applied Science. "Crucial security problem in Google Play: Thousands of secret keys found in android apps." ScienceDaily. ScienceDaily, 18 June 2014. <www.sciencedaily.com/releases/2014/06/140618163920.htm>.
Columbia University School of Engineering and Applied Science. (2014, June 18). Crucial security problem in Google Play: Thousands of secret keys found in android apps. ScienceDaily. Retrieved December 20, 2014 from www.sciencedaily.com/releases/2014/06/140618163920.htm
Columbia University School of Engineering and Applied Science. "Crucial security problem in Google Play: Thousands of secret keys found in android apps." ScienceDaily. www.sciencedaily.com/releases/2014/06/140618163920.htm (accessed December 20, 2014).

Share This


More From ScienceDaily



More Computers & Math News

Saturday, December 20, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Building Google Into Cars

Building Google Into Cars

Reuters - Business Video Online (Dec. 19, 2014) Google's next Android version could become the standard that'll power your vehicle's entertainment and navigation features, Reuters has learned. Fred Katayama reports. Video provided by Reuters
Powered by NewsLook.com
After Sony Hack, What's Next?

After Sony Hack, What's Next?

Reuters - US Online Video (Dec. 19, 2014) The hacking attack on Sony Pictures has U.S. government officials weighing their response to the cyber-attack. Linda So reports. Video provided by Reuters
Powered by NewsLook.com
Navy Unveils Robot Fish

Navy Unveils Robot Fish

Reuters - Light News Video Online (Dec. 18, 2014) The U.S. Navy unveils an underwater device that mimics the movement of a fish. Tara Cleary reports. Video provided by Reuters
Powered by NewsLook.com
How 2014 Shaped The Future Of The Internet

How 2014 Shaped The Future Of The Internet

Newsy (Dec. 18, 2014) It has been a long, busy year for Net Neutrality. The stage is set for an expected landmark FCC decision sometime in 2015. Video provided by Newsy
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:

Strange & Offbeat Stories


Space & Time

Matter & Energy

Computers & Math

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile: iPhone Android Web
Follow: Facebook Twitter Google+
Subscribe: RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins