Researchers find critical Android security problem in Google Play

Researchers have discovered a critical security problem in Google Play, the official Android app store

Researchers at Columbia University School of Engineering have discovered a critical security problem in Google Play, the official Android app store.

They developed a tool called PlayDrone that uses various hacking techniques to circumvent Google security to download Google Play apps and recover their sources.

The details of the team's research was presented in a paper at the ACM Sigmetrics 2014 in Austin, Texas.

After downloading more than 1.1 million Android apps and decompiling over 880,000 free applications, they found that developers often store their secret keys in their software.

These keys can be then used by anyone to steal user data or resources from service providers such as Amazon and Facebook, the researchers said.

These vulnerabilities, also introduced by developers recognised by Google Play as top developers, can affect users even if they are not actively running the Android apps.

But the flaws have gone undetected because, according to the researchers, very little is known about what is uploaded to Google Play.

Jason Nieh, professor of computer science at Columbia Engineering, said: “Google Play has more than one million apps and over 50 billion app downloads, but no one reviews what gets put into Google Play. Anyone can get a $25 account and upload whatever they want. 

"Given the huge popularity of Google Play and the potential risks to millions of users, we thought it was important to take a close look at Google Play content.”

Since completing the study, the researchers have been working closely with Google, Amazon, Facebook and other service providers to identify and notify customers at risk, and make Google Play safer.

“Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future,” said PhD student Nicolas Viennot.

Jason Hart, vice-president of cloud solutions at security firm SafeNet, said the Columbia University study should serve as a warning to companies that continue to store encryption keys in software.

“Sensitive data and intellectual property are only secure if the keys used to encrypt it are secure,” he said. “When keys are stored in servers that also store the software, they are susceptible to compromise and loss.”

According to recent research by SafeNet, 74% of organisations are storing cryptographic keys in software.

Hart added: “This is the IT security equivalent of leaving house keys under the doormat. Instead, organisations should use purpose-built key management platforms that allow users to store and manage keys in hardware, where they are more protected and controlled.

 “Only those companies that encrypt all valuable data and apply tamper-proof and robust controls to the management of the security keys can be safe in the knowledge that their data is protected, whether or not a security breach occurs.”

Read more on Application security and coding requirements