aNewDomain.net — PlayDrone, a webcrawler designed to uncover Google Play app security flaws, debuted at the 2014 ACM Sigmetrics convocation this June. The award-winning paper was delivered in Austin, Texas by Jason Nieh, professor of computer science at Columbia Engineering, and PhD candidate Nicolas Viennot. With PlayDrone they have uprooted serious security flaws in the official Android app store.
How To Hack
With a toolbox of hacking techniques, PlayDrone is able to to circumvent Google security, successfully download Google Play apps, and recover their source codes. The program scales through the simple process of adding more servers. It’s so fast that by crawling Google Play daily it’s able to download more than 1.1 million Android apps while decompiling more than 880,000 free applications.
The critical security problem that PlayDrone uncovered was this: app developers frequently store their secret keys (similar to usernames and passwords) in their app’s software, leaving these keys vulnerable to malicious theft by hackers.
The stolen keys could be used to hack into user accounts and make purchases or social media posts in the users’ names. Likewise, the keys could be used to steal information and resources from online service providers, such as Amazon. Even when the apps aren’t being actively run, the keys can still be stolen. Even Google Play’s “Top Developers” apps were found to have this vulnerability.
Nieh and Viennot Presentation and Quotes:
Video: A Measurement Study of Google Play
Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future.”
Big data is increasingly important and Android apps are just one form of interesting data. Our work makes it possible to analyze Android apps at large scale in new ways, and we expect that PlayDrone will be a useful tool to better understand Android apps and improve the quality of application content in Google Play.
Google Play has more than one million apps and over 50 billion app downloads, but no one reviews what gets put into Google Play—anyone can get a $25 account and upload whatever they want. Very little is known about what’s there at an aggregate level.”
More Than Security
While the PlayDrone was bent on measuring security, it revealed more about Google Play. Approximately 25 percent of all Google Play free apps are mere clones of other apps under different names and logos. Furthermore, Google Play’s “worst rated app” turns out to be a total fraud: while purporting to be a scale for accurately measuring the weight of an object placed on the touchscreen of an Android device, it actually just generates a random number! The most troubling thing here is that this app still has more than one million downloads despite its poor rating.
Google is actively taking steps to rectify these matters at the time of this writing.
For aNewDomain.net, I’m Brant David.