Columbia University computer scientists find poorly-written Google Play store apps with secret authorization keys

Many IT security professionals have been leery of allowing Android-toting employees at their organizations to have access to their networks because of security concerns.

Now another justification has emerged: The discovery of poorly-coded apps in the Google Play store that could compromise user accounts on Amazon Web services and Facebook.

The discovery was made by researchers at Columbia University who built a tool to scan the 1.1 million apps in Google Play on a single day last year. Click the link above to read their report.

What they found were apps with  thousands of leaked secret authentication keys which can be used by malicious users to gain unauthorized access to server resources.

Although Google scans apps for malicious code when they are uploaded to the Play store it doesn’t look for mistakes made by clumsy or lazy coders.

To see what could be found researchers built a tool they call PlayDrone, which leverages common hacking techniques to easily circumvent security measures preventing indexing Google Play store content. It stores each application’s metadata and decompiled sources in a Git repository. And it uses the Elasticsearch distributed real-time search and analytics engine using an indexing schema based on the Google Play store API to analyze and explore the Google Play store metadata and content.

In addition to finding 25 per cent of Google Play store apps are duplicative (how many versions of Solitaire does the world need?) including various types of spam, application rebranding, and application cloning, the data found something else: developers that have stored secret authentication keys in their Android applications without realizing their credentials are easily compromised through decompilation.

“These keys can be used by malicious users to steal server resources or user data available through services such as Amazon Web Services (AWS) or Facebook,” their paper says. ”

Unlike compromised applications that only affect users who download and run them, these server vulnerabilities affect users without even running the applications. Our results demonstrate developer confusion may subvert the effectiveness of the widely used OAuth open source standard for authentication.”

Google has been given code to help it scan for such vulnerabilities and service providers have been alerted to prevent attacks using the exploit.

It isn’t clear if coders who write Android apps are lazy, or if the same vulnerability is in iOS, Windows Phone or BlackBerry apps.

Either way, the research can be another reason why IT pros say no to Android on their networks.

But also now every IT and developer shop should also be alert to the dangers of embedding authentication keys in client apps.

Related Download
The New Workplace: Supporting “Bring your own”							Sponsor: IBM Canada Ltd
The New Workplace: Supporting “Bring your own”
“Bring Your Own Device” (BYOD) and the “consumerization of IT” have taken hold in the enterprise, and employees using their own personal smartphones and tablets for business have become pervasive.
Register Now
Share on LinkedIn Share with Google+ Comment on this article
More Articles