Play-Store-AH

Team from Columbia Engineering Discover Keys Left in Android Apps from the Play Store

June 19, 2014 - Written By Tom Dawson

 

Google’s Play Store has grown into a formidable force over the years and now it holds millions of apps and games for us all to download and help make the most of our smartphones and tablets. Not only is it great for us, but the Play Store has become great for developers as well. While the returns aren’t massive for an app store that mostly features free apps, but there is some money to be made. For an app store as large as the Play Store though, there are bound to be a few problems and of course security is always a concern these days. A team from Columbia Engineering took a very close look at Google’s Play Store and came across some interesting finds.

Jason Nieh, Professor of Computer Science and pHD candidate, Nicholas Viennot put numerous hacking techniques into something they called the PlayDrone. The PlayDrone then crawled the Play Store, downloading apps left right and center, but it was also able to recover app’s sources. The scary thing about the PlayDrone is that it was easily scaled by just spreading to more servers and was capable of running 24/7, downloading over 1.1 Million apps and decompiling over 880, 000 free apps.

The pair soon found out that developer’s secret keys were often left in their applications, including those from the “Top Developers” section of the Play Store. These keys could then be used to access info created by the app and perhaps gain access to users’ online accounts. Thankfully though, the right people carried out this project and Viennot said that “We’ve been working closely with Google, Amazon, Facebook, and other service providers to identify and notify customers at risk, and make the Google Play store a safer place. Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future.” 

PlayDrone is now working for Google to keep the Play Store a safer place and should help the search giant keep on top of the masses of apps that get uploaded to the Play Store on a daily basis. One of Android’s greatest strengths, its openness, is also one of its weaknesses as all someone needs to upload an app to the Play Store is $25 and of course an app. Moving forward, PlayDrone should hopefully stop apps uploaded by those looking to take advantage of the platform’s openness.