Thursday, 19 June 2014

PlayDrone Reveals Secret Keys from Thousands of Play Store Android Apps

android apps secret keys hacking
Google's Android Mobile operating system for smartphones and tablets have Google's own Play Store that provides its Android users the most visible way to access the world of millions of apps.

App developers produce more than thousands of applications each year, but majority of newbie and unprofessional developers use unsafe, unreliable, and insecure coding practices, as many developers store secret keys in their apps that could potentially allow cybercriminals to steal users’ sensitive data.

A team of researchers from the computer science department of the Columbia University have discovered a critical security problem in the Google’s official Android app store from where millions of Android users download various apps.

Researchers have found that most of the Android application developers often store their secret keys in their app's code, similar to usernames/passwords information, which could be then used by any bad actor to maliciously steal users’ information or resources from the service providers such as Amazon and Facebook.

These vulnerabilities in the implementation of the Android applications can affect users even if they are not actively using the Android apps. Even "Top Developers" designated by the Google Play team as the best developers on Google Play, included these vulnerabilities in their apps, according to the researchers.

Google play store contains millions of apps, including free and paid apps, and over 50 billion app downloads.

But no one reviews what gets put into Google Play—anyone can get a $25 account and upload whatever they want. Very little is known about what's there at an aggregate level," said Jason Nieh, professor of computer science at New York-based Columbia Engineering.

Researchers built and make use of a tool called PlayDrone, the first scalable Google Play store crawler tool that uses various hacking techniques to deceive the security measures that Google uses to prevent indexing of its Google Play store content. One can successfully download Google Play store content and recover their sources.

"We have been working closely with Google, Amazon, Facebook and other service providers to identify and notify customers at risk, and make the Google Play store a safer place," said one of the researcher, Nicolas Viennot. "Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future."

PlayDrone managed to download more than 1.1 million Android apps and decompile over 880,000 free applications and analyzing over 100 billion lines of decompiled code.

WHAT GOOGLE SHOULD DO?
With the widely spread platform of Android operating system in the mobile phones, no doubt it’s become an easy target for cybercriminals. Now, this weakness in the practices of apps development found on the official Google play store is icing on the cake for cybercriminals.

I would not call it a vulnerability in the Google play store because its not flaw in their server or network, rather it’s the fault of app developers, who take their users’ data security as granted and Google itself, which approves apps with weak development practices and have never implement any strict guidelines to stop developers from doing so.

Google should actively encourage and enforce new policy on the app developers, so that they give top priority to their users’ data security and any violations to the policy could lead to suspension of that developer’s licence.

Reference- http://thehackernews.com/

No comments:

Post a Comment