Columbia University engineering professor Jason Nieh and PhD candidate Nicolas Viennot recently discovered a major security issue with the Google Play Android app store -- in several thousands of cases, developers store secret keys in their software.
"Google Play has more than one million apps and over 50 billion app downloads, but no one reviews what gets put into Google Play -- anyone can get a $25 account and upload whatever they want," Nieh said in a statement. "Very little is known about what’s there at an aggregate level."
Nieh and Viennot developed a Google Play store crawler called PlayDrone, and used it to analyze more than a million applications in the store on a daily basis.
"PlayDrone leverages various hacking techniques to circumvent Google's roadblocks for indexing Google Play store content, and makes proprietary application sources available, including source code for over 880,000 free applications," the pair explain in a paper entitled "A Measurement Study of Google Play" [PDF], which they presented at the ACM SIGMETRICS conference on June 18, 2014.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Among the issues they discovered is the fact that "developers often store secret authentication keys in their Android applications without realizing their credentials are easily compromised through decompilation," Nieh and Viennot write.
"When implemented as intended, secret tokens are never shared and are stored on trusted servers where they can be properly safeguarded," they write. "However, as these service to service protocols have been adapted to mobile applications, we have discovered using PlayDrone that developers are now embedding secret tokens directly into applications."
"While developers may believe their application sources are well guarded, the ease of decompilation and the widespread availability of mobile applications makes recovering secret tokens relatively simple," they add.
Those secret tokens can then be leveraged to steal user data or resources from leading providers. Viennot noted the two are working with Google, Amazon, Facebook, and other service providers to identify and notify at-risk customers at risk and improve Google Play store security. "Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future."
Checkmarx CEO Emmanuel Benzaquen said by email that consumers need to be more vocal in demanding that the apps they download are proactively checked for flaws. "We would like to see a certification standard for all mobile apps showing that they have been checked for critical vulnerabilities in the code of the app," he said.
"As long as the public remains unconcerned with the security of their data that's stored in mobile applications, cybercriminals will be more than happy to take advantage of their indifference," Benzaquen added.
And as Arxan Technologies director of services Chris Stahly recently told eSecurity Planet, it's crucial to keep in mind that all code written by a mobile app developer is subject to lifting from a mobile device. "This unfettered access to the client has numerous ramifications in terms of application security," he said.
A wide range of tips on how to bake better security into apps can be viewed here.