14 DAY TRIAL // Custom crawler PlayDrone was used by researchers to download and decompile over 880,000 free programs to find thousands of secret tokens that authenticate service to service communication embedded in the source code.
Authentication tokens are secret keys used instead of log in credentials by apps that facilitate communication with a third party service, such as Facebook or Twitter clients. The keys are to be shared only between the two services involved in the information exchange and should be protected.
Researchers at Columbia University built PlayDrone crawler that uses various techniques to bypass the security measures imposed by Google in order to conduct a large scale measurement of the official Android marketplace. The findings have been presented in a paper signed by Jason Nieh, Edward Garcia and Nicolas Viennot.
After decompiling more than 880,000 free apps, the researchers analyzed the source code and searched it for specific words such as “secret.” The reason for choosing this query is that they discovered that many developers used constant names with the substring “secret” for identification of the authentication token in the code.
The potential for abuse is huge given that the tokens can be stolen through malicious activity and used to compromise user accounts.
In a snapshot of Google Play from June 22, 2013, PlayDrone found unique tokens for services from Amazon (308), Facebook (460), Twitter (6,228), Bitly (616), Flickr (89), Foursquare (177), Google (225), LinkedIn (181), and Titanium (1,783); some of them were reused by the developers or have been embedded in the SDKs.
These are only rough figures because the algorithm for detecting the secret keys relied on regular expressions limited to a few search parameters, which did not take into account items available in obfuscated code.
Checking for their validity about five months later, the two researchers found that in most cases, more than 95% of the tokens could still be used on November 11, 2013, Flickr recording a perfect score.
“We worked with service providers, including Amazon, Facebook, and Google, to identify and notify customers at risk, and make the Google Play store a safer place,” write the researchers.
Also uncovered through PlayDrone measurement was the fact that some poorly-rated apps can be downloaded at least a million times. Furthermore, the crawler revealed as much as 25% duplicate content on the marketplace.
Some of the tools built by the researchers are now employed by Google to improve the verification process of the apps published on Google Play. The company already uses scanners that look for some vulnerabilities and plans to include checks and automated notices to developers for specific issues.