Google Play analysis reveals security flaws in apps, say researchers

'PlayDrone' decompilation spots insecure credentials

Researchers analysing Google's Play Store apps using a specially-written 'crawling' tool uncovered serious security problems that would have allowed attackers to compromise social media and other accounts as well as steal the credentials used by developers running on Amazon's Web Services (AWS).

The paper by Professor Jason Nieh and PhD student Nicolas Viennot of Columbia University created a powerful automated tool dubbed 'PlayDrone' to decompile 100 billion lines of code relating to the Play store's 1.1 million apps, 880,000 of which were free.

What they discovered about this software population between June and November of 2013 was at times surprising and occasionally quite concerning.

Some of this lid-lift revealed far from obvious facts about Google Play. For instance, the pair worked out using a Jaccard index analysis that a quarter of all the apps on Play are simply clones of other apps, not simply in function but in their underlying code.

Google's Play store offers a huge amount of choice but as with other apps stores some of it is illusory; developers re-purpose the same apps over and over again.

The division between the small number of apps that interest users and are downloaded and the huge population that don't was also stark with the top 1 percent of apps accounting for 81 percent of all downloads as of November last year. The overwhelming majority of apps that do get downloaded are free, with no paid app accounting for more than 5 million downloads.

More eye-opening were two potentially major security flaws in the way apps store authentication for AWS and for mobile clients authenticating themselves using app OAuth tokens (for instance the 'Login with Facebook' function).

The pair used PlayDrone to search the de-compiled app source code for substrings such as 'secret' discovering that a significant number of developers were embedding their AWS credentials within apps - mobile and web applications are often built using such services.

In June 2013 they were able to uncover 308 such tokens from a test run, 94 percent of which were still valid to gain access to those services several months later.

"Exposure of the AWS tokens can provide access to existing AWS resources, potentially leading to a range of confidentiality, integrity, and availability attacks, as well as the capability to allocate new resources at the owner's expense," explained the authors.

This number was sufficient for an attacker to set up an AWS-hosted botnet, they added.

As for OAuth, they also discovered that this authentication mechanism was being implemented across a range of popular services - Facebook, Twitter, Bitly and others - in a way that would allow attackers to gain access to them using the same decompilation approach used by PlayDrone.

For Facebook the number of credentials the pair extracted was 1,477, for Twitter 28,235; in principle these could be used to compromise user accounts on these services.

Nieh and Viennot had informed Google, Amazon and other affected vendors of these flaws and believed developers had been asked to fix the flaws highlighted.

"Google Play has more than one million apps and over 50 billion app downloads, but no one reviews what gets put into Google Play - anyone can get a $25 account and upload whatever they want," said Nieh.

"Given the huge popularity of Google Play and the potential risks to millions of users, we thought it was important to take a close look at Google Play content."

"We've been working closely with Google, Amazon, Facebook, and other service providers to identify and notify customers at risk, and make the Google Play store a safer place," added Viennot. "Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future."

The contribution of PlayDrone is that it shows how researchers can look for security weaknesses using sophisticated automated tools, even on proprietary software markets not designed to make analysis easy. Given that the future of software lies with such platforms and the developers who cluster around them the study is an impressive piece of work.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsGooglesecuritysoftware

More about Amazon Web ServicesExposureFacebookGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts