A crucial security flaw was discovered in Google Play by a team of computer scientists from Columbia University.
“So many people download content from Google Play these days, yet there appeared to us to be some potential risks given that no one reviews the content that gets uploaded there,” said Jason Nieh, professor of computer science at the university. “For example, for $25, anyone can upload an app, a very low barrier to entry, and it is immediately available to a huge audience for download.”
Nieh and the team created PlayDrone, a scalable Google Play store crawler that uses hacking techniques (such as simple dictionary-based attacks) to index and analyze more than 1,100,000 Google Play applications on a daily basis. What PlayDrone found was that developers were storing their secret keys in their software. Storing secret keys in software leaves user data or resources from service providers like Amazon and Facebook vulnerable to malicious attacks, according to Nieh.
(Related: Android accounted for more than 97% of malware in 2013)
“Unlike other types of vulnerabilities that require a user to download an app and run it to become vulnerable, this problem relates to server/cloud resources, and users can become vulnerable even without running the app,” he said.
To resolve this problem, Nieh and the team are working with service providers, including Amazon, Facebook and Google, to identify and notify those at risk.
“Google is now using our techniques to proactively scan apps for these problems and notify developers,” he said. “A key goal of ours was to try to make Google play a safer place for everyone.”
PlayDrone also found that about a quarter of all Google Play free apps are duplicates of other apps; the Top 10 worst-rated apps in Google Play had more than a million downloads despite their rating; and that Google Play displayed performance problems resulting in slow app purchases.