Researchers reveal Google’s huge security hole

info01

Researchers have revealed massive security hole in Google app store that puts millions of people at risk: ‘secret keys’ discovered that can reveal user’s private information. Bug put millions of users at risk.
A foremost security flaw in Google’s Play Store that could expose user’s private data has been revealed by researchers.
The bug, which the team has worked with Google, Facebook and other app makers to fix before revealing it, put millions of users at risk, the researchers said.
The bug would allow hackers to steal user data from Facebook, Amazon and others using ‘secret’ keys the team uncovered.
The research was revealed in a paper presented—and awarded the prestigious Ken Sevcik Outstanding Student Paper Award—at the ACM SIGMETRICS conference.
Jason Nieh, professor of computer science at Columbia Engineering, and PhD candidate Nicolas Viennot said they were stunned by the scale of their find.

HOW THEY DID IT
The researchers created an app called PlayDrone, which used various hacking techniques to circumvent Google security to successfully download Google Play apps and recover their sources.
They were then able to decompile the apps to see their code.
They then found developers often store their secret keys in their apps software, similar to usernames/passwords info, and these can be then used by anyone to maliciously steal user data or resources from service providers such as Amazon and Facebook.

‘Google Play has more than one million apps and over 50 billion app downloads, but no one reviews what gets put into Google Play—anyone can get a $25 account and upload whatever they want. Very little is known about what’s there at an aggregate level,’ says Nieh.

Potential risks to millions
‘Given the huge popularity of Google Play and the potential risks to millions of users, we thought it was important to take a close look at Google Play content.’
Nieh and Viennot’s paper is the first to make a large-scale measurement of the huge Google Play marketplace.
The researchers created an app called PlayDrone, which used various hacking techniques to circumvent Google security to successfully download Google Play apps and recover their sources.
PlayDrone scales by simply adding more servers and is fast enough to crawl Google Play on a daily basis, downloading more than 1.1 million Android apps and decompiling over 880,000 free applications.

50 billion app downloads
Google Play, the Android app store, has more than one million apps and over 50 billion app downloads. Nieh and Viennot discovered all kinds of new information about the content in Google Play, including a critical security problem: developers often store their secret keys in their apps software, similar to usernames/passwords info, and these can be then used by anyone to maliciously steal user data or resources from service providers such as Amazon and Facebook.
These vulnerabilities can affect users even if they are not actively running the Android apps.
Nieh claims that even “Top Developers,” designated by the Google Play team as the best developers on Google Play, included these vulnerabilities in their apps.

Google Play, the Android app store, has more than one million apps and over 50 billion app downloads.

‘We’ve been working closely with Google, Amazon, Facebook, and other service providers to identify and notify customers at risk, and make the Google Play store a safer place,’ says Viennot.
‘Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future.’
In fact, Nieh adds, developers are already receiving notifications from Google to fix their apps and remove the secret keys.

Google Market
The upgrading of Google Market to Google Play does not come as a surprise considering that Google has been in the forefront in enhancing its innovations and content distribution. Google Play works within the cloud computing systems where it offers storage for all entertainment products and services where users can access them. Cloud computing is an ideal way of accessing content because users are not worried of storage, moving files, or even losing them.
Google Play is a marketplace store offering accessibility of music, books, games, TV, magazines, apps, and movies. It is no longer limited to android mobile users but desktop users can also access these products whether free or paid. It is more of a supermarket rather than a simple app listing service.
The Google Play system makes sure that you can access your favourite music, books, apps, movies, games, magazines, and TV channels all-in-one place right from the web on your desktop browser or from an android device. Perhaps, what Google has done with the Google Play is to emphasize on cloud-based accessibility of content considering that you can rent a movie from the site, and have it delivered to your phone or you can buy license for a book on your phone and read it from your browser.
Google PlayNon-android users are able to use Google Play, even though this market is heavily marketed to android users. Google users including non-android users can use this service and take advantage of the cloud-based data storage. Since the Google Play is cloud based, it means that the purchases you make will not eat up your storage on computer, phone, or tablet. You can upload and purchase your favourite music, rent a movie, or buy books on one computer and be able to access it on any other desktop.
For apps developers, the app submission process seems to be less tedious when compared to others like the iOS App Store. With Google Play, developers enjoy freedom when it comes to general editorial content of their apps. The initial cost for developers to submit apps into the Google Play is also minimal.

Disadvantages
One problem with Google Play is that it has subjected its android app users to simultaneous upgrades and updates through its rebranding of the Google Market. Nonetheless, the store retains most of the services it offered before but new navigations buttons have been added to make things easier for the users to access the diverse content available from this platform.
Although you can upload your own music, you cannot upload your own movies to access them in the cloud because the Play Movies works as a rental service. The Google Play Book is a license-only service to enable you to read the books, and if you purchase one and travel to a location where the books are not sold, then the books on the device may be deleted, and you have to re-download them when you travel back to locations where they are sold.

Source: Weekly Holiday