RESEARCHERS AT COLUMBIA UNIVERSITY have discovered a vulnerability of apps in the Google Play Store that has led to the discovery of hundreds of "secret keys" accessible to anyone who cares to look.
Professor Jason Nieh and doctoral student Nicolas Viennot created a piece of software known as Playdrone that can sweep apps in the Google Play Store and mine data about them.
Playdrone sweeps the Google Play store daily, downloads 1.1 million apk files and decompiles 880,000 non-paid apps.
Among the initial findings of the Playdrone tool is that many secret keys for social network APIs, web-hosting access and other private data can be easily extracted from the decompiled apps, making such data extremely vulnerable. Such data should be encrypted, but many developers leave it in plain sight.
"We've been working closely with Google, Amazon, Facebook, and other service providers to identify and notify customers at risk, and make the Google Play store a safer place," said Viennot. "Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future."
Google has already begun the process of warning developers to update their apps.
The Playdrone project is scalable and can be expanded as the Play Store increases in size by simply adding additional servers. The pair's paper on the subject won the Ken Sevcik Outstanding Student Paper award at the recent ACM Sigmetrics Conference.
Professor Nieh said, "Big data is increasingly important and Android apps are just one form of interesting data," He observed, "Our work makes it possible to analyze Android apps at large scale in new ways, and we expect that Playdrone will be a useful tool to better understand Android apps and improve the quality of application content in Google Play."
Other findings revealed by Playdrone include the fact that approximately 25 percent of apps are simply clones of other apps and the fact that over one million users have downloaded an app that claims to be a scale, but in fact just shows a random number.
Earlier this year, it was revealed that secret keys for the Amazon Web Services (AWS) hosting system were being left behind by developers when posting code to Github, leaving websites and files open to attack from outsiders. µ
Sign up for INQbot – a weekly roundup of the best from the INQ