Many Android apps on Google Play contain authentication keys that can be easily taken to steal corporate and personal data University researchers have found that developers often store authentication keys in the Android apps on Google Play, making it possible for criminals to steal corporate or personal data.The major security threat has cast doubt on the effectiveness of the automated scanning tools Google uses to uncover malicious code and other problems that could pose a risk to users.“If I’m a CISO, and I’m trying to make decisions about BYOD policies for my corporation, I might say, ‘you know what – Android, not cool,'” Jonathan Sander, strategy and research officer for STEALTHbits Technologies, said. Google, which has been notified of the problem, did not respond to a request for comment. Columbia University researchers developed a tool they called PlayDrone that indexed and analyzed more than 1.1 million apps in Google Play, the official online store for people with smartphones and tablets running Google’s Android operating system.Using various hacking techniques, PlayDrone circumvented Google’s technology to prevent indexing of store content and extracted the source code of more than 880,000 free applications. In decompiling and analyzing the apps, the researchers discovered that “developers often store secret authentication keys in their Android applications without realizing their credentials are easily compromised through decompilation.”The authentication keys are used in making secure connections between apps and the servers they communicate with. If criminals get the keys, they could decrypt information the app stores on a remote server, even those belonging to a cloud service provider, such as Amazon Web Services or Facebook, the researchers said.“If there is corporate data in the cloud, and a company had an app that had the secret keys in it, someone could potentially steal data from the cloud,” Jason Nieh, co-author of the research report, said in an email. Some apps connecting to Facebook were found to contain authentication keys, Nieh said. Once notified, Facebook stopped accepting the keys, which forced the developers to change the apps to continue working with the service.“How substantial the changes are depends on the service provider and the app,” Nieh said. “In some cases, the changes can be substantial.”If a criminal finds an Android app with the keys stored inside, then it would be “pretty trivial” to decompile the app as the researchers did, Theodora Titonis, vice president of mobile security for Veracode, said. “There are tools readily available to do that,” she said.The most likely reason developers would store such an important component in the app is to avoid writing the additional code required to store the keys on the server, where they would be more secure, Titonis said.“There’s more complexity,” she said. Mobile app developers are notorious for reducing their workload by cutting corners on security. In most cases, getting the app out to market as quick as possible trumps better protection for users, experts say.A study conducted last year by Hewlett-Packard found that 86 percent of the mobile apps published by 600 Forbes Global 2000 companies did not have adequate security in place to defend against the most common exploits. Related content news Ransomware feared in Octapharma Plasma’s US-wide shutdown The disruption has impacted more than 150 plasma centers in the US, with possible effects on European operations. By Shweta Sharma Apr 19, 2024 3 mins Ransomware news Top cybersecurity product news of the week New product and service announcements from Conatix, Tanium, Cisco AppDynamics and Miggo. By CSO staff Apr 19, 2024 79 mins Generative AI Security news analysis Cisco fixes vulnerabilities in Integrated Management Controller Cisco fixes high-risk flaws in the out-of-band management controller of multiple products By Lucian Constantin Apr 18, 2024 4 mins Threat and Vulnerability Management Vulnerabilities news UK law enforcement busts online phishing marketplace The coordinated takedown has infiltrated the fraud service and made several arrests based on data found on the platform. By Shweta Sharma Apr 18, 2024 4 mins Phishing Legal PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe