Skip to main content

Researchers find major security flaw in Android apps on Google Play, working with Google to fix

A recent study presented just yesterday by Columbia Engineering computer science professor Jason Nieh and PhD candidate Nicolas Viennot might be the most comprehensive look yet at the Google Play store and some of the issues plaguing it. The bad news is the researchers were able to discover what they think is a pretty serious security flaw (TheLoop via Phys.org):

Nieh and Viennot discovered all kinds of new information about the content in Google Play, including a critical security problem: developers often store their secret keys in their apps software, similar to usernames/passwords info, and these can be then used by anyone to maliciously steal user data or resources from service providers such as Amazon and Facebook. These vulnerabilities can affect users even if they are not actively running the Android apps. Nieh notes that even “Top Developers,” designated by the Google Play team as the best developers on Google Play, included these vulnerabilities in their apps.

According to the report, Google is working with the researchers to prevent similar problems in the future and has already started the process of informing developers about necessary changes:

“We’ve been working closely with Google, Amazon, Facebook, and other service providers to identify and notify customers at risk, and make the Google Play store a safer place,” says Viennot. “Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future.”

Back in April, Google announced that it would soon begin continually scanning apps for malware even after installation to improve the overall security of apps and cut down on malware that makes it past the initial approval process for Google Play.

The full study made for some other interesting findings as well. The researchers found around a quarter of Google Play free apps are clones of other apps, for example. The full study can be viewed online here.

Another research firm, FireEye, has made its own discoveries regarding the Google Play vulnerabilities in a recent report detailing what it calls a new type of malware.

We’ve reached out to Google for comment but didn’t hear back immediately.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Jordan Kahn Jordan Kahn

Jordan writes about all things Apple as Senior Editor of 9to5Mac, & contributes to 9to5Google, 9to5Toys, & Electrek.co. He also co-authors 9to5Mac’s weekly Logic Pros series and makes music as one half of Toronto-based Makamachine.