While many argue that Google’s Android malware isn’t a real problem, the fact still remains that apps with malicious capabilities are constantly being discovered. This problem is especially serious in third-party app stores, but it also exists in Google Play, where issues such as the recent app permission change might let developers silently add malicious features to their apps without the user knowing.
On top of that, a new research paper details an even more serious security flaw in Google Play that can be used to expose personal details of users, even if they aren’t using an app.
Phys.org reports that two researchers — professor of computer science at Columbia Engineering Jason Nieh and PhD candidate Nicolas Viennot — have inspected Google Play security by devising a tool “that uses various hacking techniques to circumvent Google security to successfully download Google Play apps and recover their sources.”
They managed to download more than 1.1 million Android apps and decompile over 880,000 free apps, only to find that developers often store secret keys in app software including usernames and passwords for services such as Facebook, Amazon and others. Data retrieved in such a manner can expose Android users even though they may not be using a certain app anymore.
In fact, it appears that even companies that have been designated by Google as “top developers” use the same techniques with their apps. But Google has started contacting developers to discontinue this practice.
“We’ve been working closely with Google, Amazon, Facebook, and other service providers to identify and notify customers at risk, and make the Google Play store a safer place,” Viennot said. “Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future.”
The full paper on the matter, which was awarded the Ken Secvik Oustandng Student Paper Award, is found at the Source link below.
