A homegrown crawler built by researchers at Columbia University found that thousands of Android app developers in Google Play store their secret keys in their app software -- including developers designated by Google Play as "Top Developers."
The researchers' so-called PlayDrone tool slipped past Google Play security to download more than 1.1 million Android apps and decompile some 880,000 free apps in order to test the security of the store and its apps.
"Google Play has more than one million apps and over 50 billion app downloads, but no one reviews what gets put into Google Play -- anyone can get a $25 account and upload whatever they want. Very little is known about what’s there at an aggregate level," says Jason Nieh, professor of computer science at Columbia Engineering and a member of the university's Institute for Data Sciences and Engineering’s Cybersecurity Center. "Given the huge popularity of Google Play and the potential risks to millions of users, we thought it was important to take a close look at Google Play content."
PlayDrone provided other insight into the Google Play store as well, including a performance issue and the fact that about one-fourth of all free apps there are duplicates.
But the biggest finding was that thousands of secret authentication keys sit in apps in the store, which could be used by attackers to steal data or resources from Amazon and Facebook, for example. "We’ve been working closely with Google, Amazon, Facebook, and other service providers to identify and notify customers at risk, and make the Google Play store a safer place," says Columbia PhD candidate Nicolas Viennot, who along with Nieh presented a paper on the findings this week. "Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future."
Google is currently notifying app developers about the findings, urging them to remove the secret keys.
Security experts say PlayDrone exposed an embarrassing lack of vetting by Google of the Google Play store. "PlayDrone is interesting on many levels. It's academics using hacking for good and is completely embarrassing one of the world's biggest tech giants in the process. Not to mention that they basically showed the 'security by obscurity' approach so many app developers were taking," says Jonathan Sander, strategy and research officer with StealthBits Technologies.
"What PlayDrone has exposed is that many app developers left their secret keys on the equivalent of a post note stuck to the monitor because they thought their office door was locked. Using that key, an attacker can log into their system, steal data that's there (including data about anyone who has downloaded that app), and even rig systems in that virtual store to do more harm or syphon off more data," Sander tells us. "I'm sure stuffing those secret keys into the apps made things easier for the developers to get their apps out just a bit faster to gain an edge."
According to data from SafeNet, 74% of organizations store crypto keys in software. "This is the IT security equivalent of leaving house keys under the dormat," says Prakash Panjwani, president and CEO of SafeNet.
The Columbia University paper is available here for download.