Crucial security flaw found in Google Play: Thousands of secret keys found in Android apps

“In a paper presented — and awarded the Ken Sevcik Outstanding Student Paper Award — at the ACM SIGMETRICS conference on June 18, Jason Nieh, professor of computer science at Columbia Engineering, and PhD candidate Nicolas Viennot reported that they have discovered a crucial security problem in Google Play, the official Android app store where millions of users of Android, the most popular mobile platform, get their apps,” ScienceDaily reports.

“‘Google Play has more than one million apps and over 50 billion app downloads, but no one reviews what gets put into Google Play — anyone can get a $25 account and upload whatever they want. Very little is known about what’s there at an aggregate level,” says Nieh, who is also a member of the University’s Institute for Data Sciences and Engineering’s Cybersecurity Center,'” ScienceDaily reports. “Nieh and Viennot discovered all kinds of new information about the content in Google Play, including a critical security problem: developers often store their secret keys in their apps software, similar to usernames/passwords info, and these can be then used by anyone to maliciously steal user data or resources from service providers such as Amazon and Facebook. These vulnerabilities can affect users even if they are not actively running the Android apps.”

“Nieh notes that even ‘Top Developers,’ designated by the Google Play team as the best developers on Google Play, included these vulnerabilities in their apps,” ScienceDaily reports. “Other findings of the research include showing that roughly a quarter of all Google Play free apps are clones; these apps are duplicative of other apps already in Google Play.”

Read more in the full article here.

MacDailyNews Take: Open. As in, wide.

[Thanks to MacDailyNews Reader “Todd” for the heads up.]

Related articles:
With iOS 8, Apple makes iOS even more secure ahead of smartphone security competition – June 10, 2014
iOS 8′s extensions explained: Opening the platform while keeping it secure – June 9, 2014
New iOS 8 feature lets users cloak their iPhones from tracking by retailers, marketers, other companies – June 9, 2014
New malware takes Android phones hostage, demands ransom for unlock – June 5, 2014
F-Secure: Android accounted for 99% of new mobile malware in Q1 2014 – April 30, 2014
Google’s Sundar Pichai: Android not designed to be safe; if I wrote malware, I’d target Android, too – February 27, 2014
Cisco: Android the target of 99 percent of world’s mobile malware – January 17, 2014
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013
Android app malware rates skyrocket 40 percent in last quarter – August 7, 2013
First malware found in wild that exploits Android app signing flaw – July 25, 2013
Mobile Threats Report: Android accounts for 92% of all mobile malware – June 26, 2013
Latest self-replicating Android Trojan looks and acts just like Windows malware – June 7, 2013
99.9% of new mobile malware targets Android phones – May 30, 2013
Mobile malware exploding, but only for Android – May 14, 2013
Mobile malware: Android is a bad apple – April 15, 2013
F-Secure: Android accounted for 96% of all mobile malware in Q4 2012 – March 7, 2013
New malware attacks Android phones, Windows PCs to eavesdrop, steal data; iPhone, Mac users unaffected – February 4, 2013
FBI issues warning over Android malware attacks – October 15, 2012
Researchers discover serious flaw in Android app security, say HTC and Samsung ignore issue – September 28, 2012
Apple’s iPhone has passed a key security threshold – August 13, 2012
Android permissions flaw allows eavesdropping, data theft, location tracking – December 2, 2011
Massive HTC Android security flaw leaves security expert speechless – October 2, 2011
Apple’s iOS unaffected by malware as Android exploits surge 76% – August 24, 2011
Android malware records phone calls; iPhone users unaffected – August 2, 2011
Symantec: Apple iOS offers ‘full protection,’ Google Android ‘little protection’ vs. malware attacks – June 29, 2011
Malware apps spoof Android Market to infect Android phones – June 21, 2011
Google forced to pull several malware-infested apps from Android market – June 8, 2011
Android malware sees explosive growth; even faster than with PCs – April 27, 2011
Virus-laden apps infest Google’s ‘open’ Android platform; iPhone unaffected – March 3, 2011
Security firm warns of new Android trojan that can steal personal information; iPhone unaffected – December 30, 2010
Trojan infects Android smartphones; iPhone unaffected – August 10, 2010
Millions of Android phone users slammed by malicious data theft app – July 29, 2010
Unlike proactive Apple, reactive Google doesn’t block malware from Android app store – June 4, 2010
Malware designed to steal bank information pops up in Google’s Android app store – January 11, 2010


    1. In other words: “Screw the user!”

      Why ANYONE thinks they are getting a good product with Android is totally beyond me. One look at the security problems revealed a year ago was bad enough.

      Now the problems are catastrophic for users and no normal user stands a CHANCE IN HELL of knowing if he is affected… so Android users must just assume they are PWNED.

  1. Google motto: “don’t even think of coming to us if anything goes wrong because we’ll just post a copy of your browser history to your HR department.”

  2. Anyone who steals anything from a Google/Android app user’s account will find no treasure chest. If there is a bank account, it is probably already overdrawn. if there are credit cards, they are probably tapped out to limits.

    1. Are they clones to increase visibility? If so, then the total number of Android apps touted is false.
      Or are they simi-clones with a different version to support each phone due to lack of standards?

      If so, then the total number of Android apps touted is STILL false.

  3. A bunch of Android users should just organize a mass Android burning event. First, each user will verbally gripe about all their issues. Next, they will angrily slam the poo into the hellfire and begin to dance and rejoice while watching them melt like the wicked witch. After the infested sewage is incinerated there will be rainbows and unicorns manifesting out of the smoldering. Angels will begin playing harps. Users will shake each other’s hands in a job well done and then finally hokey pokey over to the promised land of iOS.

  4. Who DOESN’T find this sickening? Seriously!

    even ‘Top Developers,’ included these vulnerabilities in their apps,” ….Roughly a quarter of all Google Play free apps are clones; these apps are duplicative of other apps already in Google Play.

    The term ‘Rat’s Nest’ comes to mind.

    Great job there Google not being evil. You allow this. It’s yours. You own it. Hackers pwn it.

    1. Here’s another wonderful tidbit from the source article:

      a list of the top 10 most highly rated apps and the top 10 worst rated apps in Google Play that included surprises such as an app that, while the worst rated, still had more than a million downloads: it purports to be a scale that measures the weight of an object placed on the touchscreen of an Android device, but instead displays a random number for the weight.


      1. I don’t have any Android devices to test with, but I’d love to do a packet capture of the network traffic generated by these free (and seemingly pointless) apps to see how much of my personal info is getting passed along!

  5. Hate to say it, but exactly the same problem exists in thousands of iOS apps.

    iOS app bundles can be unzipped, their contents laid bare to anyone that wishes to look inside them. Often they’ll put secret API keys, such as those mentioned by these Android researchers, in the application’s info.plist file, which is easily read. Alternatively these things will be in plain-text in some other file.

    Many developers simply don’t think about these things, and/or are unaware of how easy it is to see inside an application.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.