The apps you download from Google Play may be unknowingly giving up your private information to hackers.
According to new research from Columbia University’s Jason Nieh, professor of computer science, and Nicholas Viennot, PhD candidate, the software of thousands of apps contain secret keys to third party APIs. A secret key is like a username and password, and with this key hackers can access resources and data from tech giants such as Amazon and Facebook.
Nieh and Viennot report that “Top Developers” promoted by Google Play are not exempt from this issue, and have been found to include this vulnerability in their software.
Google is working to resolve this issue, and developers are being alerted so that fewer new apps are created with accessible secret keys. While Google has made strides in the past to protect Android users from malware, Nieh and Viennot estimate that out of all free apps on Google Play, 25% are clones of another app. Their research also discovered that being one of the top 10 worst rated apps on Google Play does not stop an app from accruing large download numbers. DroidScale, the worst rated app (due to overall unpopularity and negativity of user reviews), claims to weigh objects placed on the phone or tablet. In reality it simply shows a random number, but it has over 1,000,000 downloads.
Check the IP Lasso blog for continuing updates on security in the ever-shifting app universe.
The full research paper can be read here.