Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Google Play analysis reveals security flaws in apps, say researchers

'PlayDrone' decompilation spots insecure credentials

Article comments

Researchers analysing Google’s Play Store apps using a specially-written ‘crawling’ tool uncovered serious security problems that would have allowed attackers to compromise social media and other accounts as well as steal the credentials used by developers running on Amazon’s Web Services (AWS).

The paper by Professor Jason Nieh and PhD student Nicolas Viennot of Columbia University created a powerful automated tool dubbed ‘PlayDrone’ to decompile 100 billion lines of code relating to the Play store’s 1.1 million apps, 880,000 of which were free.

What they discovered about this software population between June and November of 2013 was at times surprising and occasionally quite concerning.  

Some of this lid-lift revealed far from obvious facts about Google Play. For instance, the pair worked out using a Jaccard index analysis that a quarter of all the apps on Play are simply clones of other apps, not simply in function but in their underlying code.

Google’s Play store offers a huge amount of choice but as with other apps stores some of it is illusory; developers re-purpose the same apps over and over again.

The division between the small number of apps that interest users and are downloaded and the huge population that don’t was also stark with the top 1 percent of apps accounting for 81 percent of all downloads as of November last year. The overwhelming majority of apps that do get downloaded are free, with no paid app accounting for more than 5 million downloads.

More eye-opening were two potentially major security flaws in the way apps store authentication for AWS and for mobile clients authenticating themselves using app OAuth tokens (for instance the ‘Login with Facebook’ function).

The pair used PlayDrone to search the de-compiled app source code for substrings such as ‘secret’ discovering that a significant number of developers were embedding their AWS credentials within apps – mobile and web applications are often built using such services.

In June 2013 they were able to uncover 308 such tokens from a test run, 94 percent of which were still valid to gain access to those services several months later.

“Exposure of the AWS tokens can provide access to existing AWS resources, potentially leading to a range of confidentiality, integrity, and availability attacks, as well as the capability to allocate new resources at the owner's expense,” explained the authors.

This number was sufficient for an attacker to set up an AWS-hosted botnet, they added.

As for OAuth, they also discovered that this authentication mechanism was being implemented across a range of popular services – Facebook, Twitter, Bitly and others - in a way that would allow attackers to gain access to them using the same decompilation approach used by PlayDrone.

For Facebook the number of credentials the pair extracted was 1,477, for Twitter 28,235; in principle these could be used to compromise user accounts on these services.

Nieh and Viennot had informed Google, Amazon and other affected vendors of these flaws and believed developers had been asked to fix the flaws highlighted.

“Google Play has more than one million apps and over 50 billion app downloads, but no one reviews what gets put into Google Play - anyone can get a $25 account and upload whatever they want,” said Nieh.

 “Given the huge popularity of Google Play and the potential risks to millions of users, we thought it was important to take a close look at Google Play content.”

“We’ve been working closely with Google, Amazon, Facebook, and other service providers to identify and notify customers at risk, and make the Google Play store a safer place,” added Viennot. “Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future.”

The contribution of PlayDrone is that it shows how researchers can look for security weaknesses using sophisticated automated tools, even on proprietary software markets not designed to make analysis easy. Given that the future of software lies with such platforms and the developers who cluster around them the study is an impressive piece of work.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *