A significant security issue has been discovered in the Play Store, where Developers have been leaving keys inside the software. Those keys can lead to data being compromised, and can affect us even when the app is not in use. Google is currently working with the researchers responsible for this discovery on a fix.
Columbia University Computer Science Professor Jason Nieh and PhD candidate Nicolas Viennot led the study. Creating a tool named PlayDrone, they set out to crawl Google Play on a daily basis — all one million-plus apps. They downloaded and decompiled over 1.1 million apps, including 880,000 freebies. Aside form some interesting tidbits about free apps — like most of them are clones of other apps — they made a startling discovery about the security of apps as it relates to the sign-in procedure.
From phys.org, we get the best explanation of the evidence found:
Nieh and Viennot discovered all kinds of new information about the content in Google Play, including a critical security problem: developers often store their secret keys in their apps software, similar to usernames/passwords info, and these can be then used by anyone to maliciously steal user data or resources from service providers such as Amazon and Facebook. These vulnerabilities can affect users even if they are not actively running the Android apps. Nieh notes that even “Top Developers,” designated by the Google Play team as the best developers on Google Play, included these vulnerabilities in their apps.
The question is what “providers such as” means. There is no knowing if this affects any kind of third-party sign-in for an app (one where you don’t create a separate profile), or just ones that aren’t Google+ sign-ins. We also don’t know if signing in to any app at all affects us.
Google recently committed to searching for malware after apps were uploaded to the Play Store, but this takes it a step further. Viennot notes Google is using their tool to scan apps, and is working on a fix.