A crucial security flaw was discovered in Google Play by a team of computer scientists from Columbia University.
“So many people download content from Google Play these days, yet there appeared to us to be some potential risks given that no one reviews the content that gets uploaded there,” said Jason Nieh, professor of computer science at the university. “For example, for $25, anyone can upload an app, a very low barrier to entry, and it is immediately available to a huge audience for download.”
Nieh and the team created PlayDrone, a scalable Google Play store crawler that uses hacking techniques (such as simple dictionary-based attacks) to index and analyze more than 1,100,000 Google Play applications on a daily basis. What PlayDrone found was that developers were storing their secret keys in their software. Storing secret keys in software leaves user data or resources from service providers like Amazon and Facebook vulnerable to malicious attacks, according to Nieh.
“Unlike other types of vulnerabilities that require a user to download an app and run it to become vulnerable, this problem relates to server/cloud resources, and users can become vulnerable even without running the app,” he said.
To resolve this problem, Nieh and the team are working with service providers, including Amazon, Facebook and Google, to identify and notify those at risk.