Companies warned of major security flaw in Google Play apps

Many Android apps on Google Play contain authentication keys that can be easily taken to steal corporate and personal data

University researchers have found that developers often store authentication keys in the Android apps on Google Play, making it possible for criminals to steal corporate or personal data.

The major security threat has cast doubt on the effectiveness of the automated scanning tools Google uses to uncover malicious code and other problems that could pose a risk to users.

"If I'm a CISO, and I'm trying to make decisions about BYOD policies for my corporation, I might say, 'you know what -- Android, not cool,'" Jonathan Sander, strategy and research officer for STEALTHbits Technologies, said.

Google, which has been notified of the problem, did not respond to a request for comment.

Columbia University researchers developed a tool they called PlayDrone that indexed and analyzed more than 1.1 million apps in Google Play, the official online store for people with smartphones and tablets running Google's Android operating system.

Using various hacking techniques, PlayDrone circumvented Google's technology to prevent indexing of store content and extracted the source code of more than 880,000 free applications.

In decompiling and analyzing the apps, the researchers discovered that "developers often store secret authentication keys in their Android applications without realizing their credentials are easily compromised through decompilation."

The authentication keys are used in making secure connections between apps and the servers they communicate with. If criminals get the keys, they could decrypt information the app stores on a remote server, even those belonging to a cloud service provider, such as Amazon Web Services or Facebook, the researchers said.

"If there is corporate data in the cloud, and a company had an app that had the secret keys in it, someone could potentially steal data from the cloud," Jason Nieh, co-author of the research report, said in an email.

Some apps connecting to Facebook were found to contain authentication keys, Nieh said. Once notified, Facebook stopped accepting the keys, which forced the developers to change the apps to continue working with the service.

"How substantial the changes are depends on the service provider and the app," Nieh said. "In some cases, the changes can be substantial."

If a criminal finds an Android app with the keys stored inside, then it would be "pretty trivial" to decompile the app as the researchers did, Theodora Titonis, vice president of mobile security for Veracode, said.

"There are tools readily available to do that," she said.

The most likely reason developers would store such an important component in the app is to avoid writing the additional code required to store the keys on the server, where they would be more secure, Titonis said.

"There's more complexity," she said.

Mobile app developers are notorious for reducing their workload by cutting corners on security. In most cases, getting the app out to market as quick as possible trumps better protection for users, experts say.

A study conducted last year by Hewlett-Packard found that 86 percent of the mobile apps published by 600 Forbes Global 2000 companies did not have adequate security in place to defend against the most common exploits.

Join the CSO newsletter!

Error: Please check your email address.

Tags mobile security for androidmobile app securityColumbia UniversityGooglesecuritymobile securitymobile security threatsAndroid app securityGoogle Play security

More about Amazon Web ServicesAmazon Web ServicesFacebookGoogleHewlett-Packard Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place