Researchers at Columbia University School of Engineering have discovered a critical security problem in Google Play, the official Android app store.
They developed a tool called PlayDrone that uses various hacking techniques to circumvent Google security to download Google Play apps and recover their sources.
After downloading more than 1.1 million Android apps and decompiling over 880,000 free applications, they found that developers often store their secret keys in their software.
These keys can be then used by anyone to steal user data or resources from service providers such as Amazon and Facebook, the researchers said.
These vulnerabilities, also introduced by developers recognised by Google Play as top developers, can affect users even if they are not actively running the Android apps.
But the flaws have gone undetected because, according to the researchers, very little is known about what is uploaded to Google Play.
Jason Nieh, professor of computer science at Columbia Engineering, said: “Google Play has more than one million apps and over 50 billion app downloads, but no one reviews what gets put into Google Play. Anyone can get a $25 account and upload whatever they want.
"Given the huge popularity of Google Play and the potential risks to millions of users, we thought it was important to take a close look at Google Play content.”
Read more on Android security
- Svpeng Android ransomware targets UK users
- Cyber criminals continue to target Android smartphones
- App security: Decompiling Android APK files
- Android Outlook app has privacy issues, warn researchers
- Android and Windows Phone to get kill switch
- Securing Android for business
- Top 10 Android security tips
Since completing the study, the researchers have been working closely with Google, Amazon, Facebook and other service providers to identify and notify customers at risk, and make Google Play safer.
“Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future,” said PhD student Nicolas Viennot.
Jason Hart, vice-president of cloud solutions at security firm SafeNet, said the Columbia University study should serve as a warning to companies that continue to store encryption keys in software.
“Sensitive data and intellectual property are only secure if the keys used to encrypt it are secure,” he said. “When keys are stored in servers that also store the software, they are susceptible to compromise and loss.”
According to recent research by SafeNet, 74% of organisations are storing cryptographic keys in software.
Hart added: “This is the IT security equivalent of leaving house keys under the doormat. Instead, organisations should use purpose-built key management platforms that allow users to store and manage keys in hardware, where they are more protected and controlled.
“Only those companies that encrypt all valuable data and apply tamper-proof and robust controls to the management of the security keys can be safe in the knowledge that their data is protected, whether or not a security breach occurs.”