Skip to comments.Crucial security problem in Google Play: Thousands of secret keys found in android apps
Posted on 06/22/2014 3:35:38 PM PDT by Swordmaker
Researchers have discovered a crucial security problem in Google Play, the official Android app store. The study is the first to make a large-scale measurement of the huge marketplace, using PlayDrone, a tool they developed to circumvent Google security to successfully download Google Play apps and recover their sources.
Some of the secret keys, including Facebook and LinkedIn, were discovered by PlayDrone, a tool developed by Columbia Engineering researchers that uses hacking techniques to circumvent Google security to successfully download Google Play apps and recover their sources.
In a paper presented -- and awarded the Ken Sevcik Outstanding Student Paper Award -- at the ACM SIGMETRICS conference on June 18, Jason Nieh, professor of computer science at Columbia Engineering, and PhD candidate Nicolas Viennot reported that they have discovered a crucial security problem in Google Play, the official Android app store where millions of users of Android, the most popular mobile platform, get their apps.
"Google Play has more than one million apps and over 50 billion app downloads, but no one reviews what gets put into Google Play -- anyone can get a $25 account and upload whatever they want. Very little is known about what's there at an aggregate level," says Nieh, who is also a member of the University's Institute for Data Sciences and Engineering's Cybersecurity Center. "Given the huge popularity of Google Play and the potential risks to millions of users, we thought it was important to take a close look at Google Play content."
Nieh and Viennot's paper is the first to make a large-scale measurement of the huge Google Play marketplace. To do this, they developed PlayDrone, a tool that uses various hacking techniques to circumvent Google security to successfully download Google Play apps and recover their sources.
(Excerpt) Read more at sciencedaily.com ...
Many of the apps on the Amazon store come preloaded, at the very least, with spyware. Android is NOT a safe platform.
As a Luddite all I can say is “I told you so!”
It’s a bit safer with a few custom ROMs I have in mind. There really is no real “safe” platform. IOS is just a false sense of security.
But what does it all mean to average Joes or Jills who don’t understand what the heck you’re talking about? Can you simplify this for us dummies?
Yes, you're right, iOS malware DOES exist. . . Here's the entire list. . . All eleven of them, only three that effected non-Jailbroken iOS devices (and one of those three was a theoretical "proof of concept", and none which apply to modern iOS devices.
So which to choose to use? A Swiss cheese that is full of malware or one that really is SAFE, contrary to your erroneous assumptions. . . or shall we say "false sense of un-security?"
"critical security problem: developers often store their secret keys in their apps software, similar to usernames/passwords info, and these can be then used by anyone to maliciously steal user data or resources from service providers such as Amazon and Facebook. These vulnerabilities can affect users even if they are not actively running the Android apps. Nieh notes that even "Top Developers," designated by the Google Play team as the best developers on Google Play, included these vulnerabilities in their apps."
One other interesting discovery by these researcher was:
". . . roughly a quarter of all Google Play free apps are clones: these apps are duplicative of other apps already in Google Play."
Which means that a large percentage of free Android Apps are stolen from other developers. . . and downloading one has one chance in four of duplicating apps you already have. Since 70% of the apps in Google Play are free, then almost 200,000 of the apps in the store are clones of other apps.
And that isn't all:
". . . the worst rated [Android app], still had more than a million downloads: it purports to be a scale that measures the weight of an object placed on the touchscreen of an Android device, but instead displays a random number for the weight."
In other words, being un-curated, there is no guarantee that apps do what they are advertised to do. Now it turns out that even the best of them have serious security issues built into them that can compromise many things for the developer and for the user.
Incidentally, I find that “worst Android app” being downloaded over a million times by Android users to be particularly ironic. . . since so many Android users denigrate iPhone users as being technically ignorant who choose iPhones because they can’t handle the technically superior Android environment and need the “simple minded iPhones.” Any minimally technically competent person who understands how a touch screen works would understand that an software app could not weigh anything placed on a touch screen. . . and over a million Androidans downloaded this scam app loaded with malware???
Cyanogen, and Guardian Project are pretty solid. Even those are vulnerable via SIM/GSM/CDMA level snooping like any cell phone.
Whoopee. GSM and CDMA are communications standards. . . they have nothing to do with penetrating the computer's operating system. They work within their own chipsets and do not have any interaction with the OS. Yes, another receiver can intercept the signals of both standards and if the data is unencrypted, interpret it. Even if it's encrypted, given a key, or enough time, the data flow can be deciphered if it's important enough to expend the dollars and time. SIM requires physical possession of the devices and the ability to open it. I.e., the user's PIN to unlock the device to copy the data. . . or to steal the SIM card. None of this is what software vulnerabilities are about. . . iPhones don't have a SIM card to steal. And a stolen iOS device can be remotely bricked, killed, never to be even reinstalled with a new iOS install to be resold, without the owner's Apple ID and password, so that handles that problem. Encrypt your data transmissions and the other is handled.
Apparently your Cyanogen and Guardian Project MISSED all of this mess reported in the article in Android's Play Store apps. . . doesn't say much for them, does it? Guardian's been working on security for apps for five years. . . and they didn't notice these gaping holes???
You sound like an Apple fanboy. I wasn’t trying to bad mouth IOS at all. I use both devices daily and enjoy certain aspects of them. I’m just pointing out the fact that everyone who uses a smart device, which connects to a cell system, is vulnerable. Just the world we live in.
Thanks for the explanation. I appreciate it.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.