A recent study presented just yesterday by Columbia Engineering computer science professor Jason Nieh and PhD candidate Nicolas Viennot might be the most comprehensive look yet at the Google Play store and some of the issues plaguing it. The bad news is the researchers were able to discover what they think is a pretty serious security flaw (TheLoop via Phys.org):
Nieh and Viennot discovered all kinds of new information about the content in Google Play, including a critical security problem: developers often store their secret keys in their apps software, similar to usernames/passwords info, and these can be then used by anyone to maliciously steal user data or resources from service providers such as Amazon and Facebook. These vulnerabilities can affect users even if they are not actively running the Android apps. Nieh notes that even “Top Developers,” designated by the Google Play team as the best developers on Google Play, included these vulnerabilities in their apps.
According to the report, Google is working with the researchers to prevent similar problems in the future and has already started the process of informing developers about necessary changes:
“We’ve been working closely with Google, Amazon, Facebook, and other service providers to identify and notify customers at risk, and make the Google Play store a safer place,” says Viennot. “Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future.”
Back in April, Google announced that it would soon begin continually scanning apps for malware even after installation to improve the overall security of apps and cut down on malware that makes it past the initial approval process for Google Play.
The full study made for some other interesting findings as well. The researchers found around a quarter of Google Play free apps are clones of other apps, for example. The full study can be viewed online here.
Another research firm, FireEye, has made its own discoveries regarding the Google Play vulnerabilities in a recent report detailing what it calls a new type of malware.
We’ve reached out to Google for comment but didn’t hear back immediately.
FTC: We use income earning auto affiliate links. More.