Beware! Android apps may contain secret keys that may compromise personal data
One of the most awesome things about the Google Play Store is the more than one million apps ready for download. Unfortunately, not many of those apps are actually problem-free.
Researchers at Columbia University discovered a security flaw found in majority of the Play Store's Android apps, even in those apps ranked best and most popular. Computer science professor Jason Nieh and student Nicholas Viennot found that most app developers stored their credentials within the app software and wrongly assumed that they can embed OAuth tokens directly into the app without compromising their credentials. The security hole can then be used by malicious users to steal the developer's log-in information and obtain user data and server resources from services such as Facebook and Amazon Web Services.
"Once an attacker acquires a secret OAuth token, a wide range of attacks can be performed as the targeted third-party application is open to impersonation," write (pdf) Nieh and Viennot in a paper presented at the ACM Sigmetrics conference Wednesday. "For example, an attacker can perform denial of service attacks on rate limited services, access and modify application settings, expose private user information, and launch phishing attacks in an attempt to get users' access tokens."
The flaw was discovered using PlayDrone, a Play Store crawler developed by Niehs and Viennot to download more than 1.1 million Android apps without telling Google its security has been breached. The researchers say PlayDrone uses a variety of "common hacking techniques" to get around Google's security measures. These include "simple dictionary-based attacks" and "decompiling and rebuilding" the Google Play client to communicate directly with its servers. PlayDrone has already decompiled 800,000 Android apps and easily scales by adding more servers.
The researchers note that no one reviews app submissions at Google Play, which has more than 50 billion app downloads so far. Anyone with $25 can set up a developer account and upload whatever he wants on the app storefront.
"Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future," says Niehs in a press release.
He also mentioned that Google has already started notifying developers about the problem and instructing them to close the security gap. They have also contact Amazon and Facebook to ensure customer information stored in their servers are safe.
But work for PlayDrone has only just begun. The researchers believe their tool lays the foundation for a more extensive analysis of Android apps. For example, the crawler has also discovered that around 25% of all Android apps are actually clones of other apps, and that even the worst rated apps were downloaded a million times. The researchers were referring to a weighing scale app, which claims to weigh whatever object a user places on his Android screen but only puts out random figures.