Sign In

Communications of the ACM

ACM TechNews

Columbia Engineering Team Finds Thousands of Secret Keys in Android Apps

View as: Print Mobile App Share:

Columbia University researchers have found that developers often store their secret keys in their apps software, which can allow hackers to steal user data or service provider resources.


Columbia University researchers, in a paper that won the Ken Sevcik Outstanding Student Paper Award at the ACM SIGMETRICS conference on June 18, have discovered a security problem in Google Play.

"Given the huge popularity of Google Play and the potential risks to millions of users, we thought it was important to take a close look at Google Play content," says Columbia professor and paper co-author Jason Nieh.

The researchers developed PlayDrone, a tool that uses various hacking techniques to bypass Google security to download Google Play apps and recover their sources. The researchers used PlayDrone to discover developers often store their secret keys in their apps software, and these can be used by hackers to maliciously steal user data or resources from service providers.

"Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future," says Columbia Ph.D. student and paper co-author Nicolas Viennot. He notes developers already are receiving notifications from Google to fix their apps and remove the secret keys.

"Our work makes it possible to analyze Android apps at large scale in new ways, and we expect that PlayDrone will be a useful tool to better understand Android apps and improve the quality of application content in Google Play," Nieh says.

From Columbia University
View Full Article


Abstracts Copyright © 2014 Information Inc., Bethesda, Maryland, USA


No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account