Security researchers at Columbia University created a tool that can crawl and analyze the Google Play store much like Google crawls and analyzes the web ... with a twist.
Their tool, called PlayDrone, was designed to hack Play and the apps uploaded to it, circumventing the security systems Google put in place to prevent that sort of thing, the researchers revealed in a paper recently published by a prestigious computer analysis society, ACM Sigmetrics.
The goal was to find out what kinds of security problems Android apps tend to have. And, after looking at over 1 million apps between June 2013, and November 2013, they discovered a widespread problem that revealed people's Facebook accounts, as well as others like Twitter, Bitly, Flickr, Foursquare, Linkedin, and Google+.
App developers were putting their "secret" key information in the app itself. That's like writing your PIN on your ATM card. Or posting your Facebook password on your public Facebook wall. It might be a convenient place to store such info, but not a safe one.
Many developers were even labeling those secret keys with the word "secret" or "private."
To be fair, this problem wasn't caused by Google, but by the app developers who post their apps in Google Play. In fact, the researchers say that Google stopped the problem by using PlayDrone to scan apps and telling developers to remove secret keys when they find them.
The researchers also waited months to publish their research, giving app developers time to fix their apps.
But the scariest part was the type of app that had this problem, and how some dragged their feet to fix it. In some cases the holes were still there after November when they had officially shut down their research project after warning app developers.
The paper explains, "For example, the popular Airbnb application still contained their Facebook, Google, LinkedIn, Microsoft, and Yahoo secret tokens from June 22, 2013 until well past November 11, 2013."
The researchers used that information to "access the email and friends list of Airbnb users." After notifying Facebook, Facebook banned the Airbnb app from using Facebook credentials to let their users log in. "In a matter of hours" after that, Airbnb fixed their Android app.
The good news to take away from all of this, is that Google is getting smarter about enforcing security rules for Android apps.
CREDIT: BI
No comments:
Post a Comment