Google Play analysis reveals security flaws in apps, say researchers
'PlayDrone' decompilation spots insecure credentials
Researchers analysing Google’s Play Store apps using a specially-written ‘crawling’ tool uncovered serious security problems that would have allowed attackers to compromise social media and other accounts as well as steal the credentials used by developers running on Amazon’s Web Services (AWS).
The paper by Professor Jason Nieh and PhD student Nicolas Viennot of Columbia University created a powerful automated tool dubbed ‘PlayDrone’ to decompile 100 billion lines of code relating to the Play store’s 1.1 million apps, 880,000 of which were free.
What they discovered about this software population between June and November of 2013 was at times surprising and occasionally quite concerning.
Related Articles on Techworld
Some of this lid-lift revealed far from obvious facts about Google Play. For instance, the pair worked out using a Jaccard index analysis that a quarter of all the apps on Play are simply clones of other apps, not simply in function but in their underlying code.
Google’s Play store offers a huge amount of choice but as with other apps stores some of it is illusory; developers re-purpose the same apps over and over again.
The division between the small number of apps that interest users and are downloaded and the huge population that don’t was also stark with the top 1 percent of apps accounting for 81 percent of all downloads as of November last year. The overwhelming majority of apps that do get downloaded are free, with no paid app accounting for more than 5 million downloads.
More eye-opening were two potentially major security flaws in the way apps store authentication for AWS and for mobile clients authenticating themselves using app OAuth tokens (for instance the ‘Login with Facebook’ function).
The pair used PlayDrone to search the de-compiled app source code for substrings such as ‘secret’ discovering that a significant number of developers were embedding their AWS credentials within apps – mobile and web applications are often built using such services.
In June 2013 they were able to uncover 308 such tokens from a test run, 94 percent of which were still valid to gain access to those services several months later.
“Exposure of the AWS tokens can provide access to existing AWS resources, potentially leading to a range of confidentiality, integrity, and availability attacks, as well as the capability to allocate new resources at the owner's expense,” explained the authors.
This number was sufficient for an attacker to set up an AWS-hosted botnet, they added.
As for OAuth, they also discovered that this authentication mechanism was being implemented across a range of popular services – Facebook, Twitter, Bitly and others - in a way that would allow attackers to gain access to them using the same decompilation approach used by PlayDrone.
For Facebook the number of credentials the pair extracted was 1,477, for Twitter 28,235; in principle these could be used to compromise user accounts on these services.
Nieh and Viennot had informed Google, Amazon and other affected vendors of these flaws and believed developers had been asked to fix the flaws highlighted.
“Google Play has more than one million apps and over 50 billion app downloads, but no one reviews what gets put into Google Play - anyone can get a $25 account and upload whatever they want,” said Nieh.
“Given the huge popularity of Google Play and the potential risks to millions of users, we thought it was important to take a close look at Google Play content.”
“We’ve been working closely with Google, Amazon, Facebook, and other service providers to identify and notify customers at risk, and make the Google Play store a safer place,” added Viennot. “Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future.”
The contribution of PlayDrone is that it shows how researchers can look for security weaknesses using sophisticated automated tools, even on proprietary software markets not designed to make analysis easy. Given that the future of software lies with such platforms and the developers who cluster around them the study is an impressive piece of work.