Thousands of secret keys found in Android apps

Even among the top apps found on Google Play, researchers have found a crucial security flaw that could compromise user data.

Michelle Starr Science editor
Michelle Starr is CNET's science editor, and she hopes to get you as enthralled with the wonders of the universe as she is. When she's not daydreaming about flying through space, she's daydreaming about bats.
Michelle Starr
2 min read

Columbia University

There's a lot to love about the Android app marketplace, but there's a whole lot more to be wary of; predominantly, that developers are not required to submit their app to a review process before pushing it live on Google Play.

This can mean several things, but it also means that users can never be 100 percent certain that the app they are downloading is entirely secure. This has been confirmed once again by researchers Jason Nieh, professor of computer science, and Nicholas Viennot, PhD candidate, at Columbia University, who have performed a content analysis of apps on the store using a scalable tool designed for the purpose called PlayDrone.

PlayDrone uses "hacking techniques" to circumvent Google's security to download Google Play apps, and then recover and analyse their sources. It scales by simply adding more servers; in this way, it managed to decompile over 880,000 of the 1.1 million free apps it downloaded.

What Nieh and Viennot found was that developers often store their secret keys in their app software -- similar, the researchers said, to username and password data -- which can then be used to steal user data or resources from entities such as Amazon and Facebook. Even "Top Developers" promoted by Google Play have included these vulnerabilities in their apps.

The good news is that Google is already working to fix this issue. "We've been working closely with Google, Amazon, Facebook, and other service providers to identify and notify customers at risk, and make the Google Play store a safer place," Viennot said. "Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future."

Developers are also being contacted so that they can remove the secret keys from their source code.

As for PlayDrone, its work isn't over: Nieh and Viennot believe that it can be used to provide insight into Android apps and improve the quality of Google Play. For example, the tool also found that roughly 25 percent of all free apps on Google Play are clones of other apps. This information could be used to help Google crack down on cloned content, which would be great news for developers who are creating original apps.

It also performed an analysis of the 10 best rated and 10 worst rated apps on the Google Play store, and found that even the worst-rated app -- a fake scale that purports to weight whatever you place on your phone but only displays a random number -- has over a million downloads.

Of course, unless Google Play tightens up its policy around misleading apps, that titbit of information could work to decrease the quality of the app store...

You can read the full paper, "A Measurement Study of Google Play", online.