Whose phone screen isn’t full of apps icons? In 2012, a total of 25,000 million apps were downloaded from Google Play onto Android phones. Why such a high figure? Let’s look again at the numbers: about 80% of the terminals sold around the world use this operating system, way ahead of Apple’s iOS.
Another reason is the ease with which apps can be installed on phones and the fact that most of them are free. Just as getting them is simple, neither is it difficult to add your own app to the list.
If you’re a developer, it can cost just US$25. For this amount you can upload all the apps you want and they’ll be immediately available to users.
If it all seems too easy, that’s because it is. And that’s precisely one of the system’s weak points. As Nicolas Viennont, Edward Garcia and Jason Nieh demonstrated, there is zero supervision in this regard. No one checks to ensure that new apps are not malicious and, once they’re installed, these apps could have access to the personal data of many users.
As practically no research had been carried out in this field, these three students from Columbia University (New York) decided to test the reliability of the apps available in the Google Play catalog. To do this they created PlayDrone, a program that has enabled them to track and analyze more than a million apps.
Beating the system
The tool they created managed to access the metadata and source code of 880,000 free Android apps. They had to use ten servers during their two incursions –in May and November 2013- into Google’s system. They had managed to hack -albeit with good intentions- the mechanisms used by Google to protect its apps store.
In doing this they discovered that 25% of apps on Google Play were just copies of others or simply spam; that the system’s ranking of the most popular apps was not always accurate and that the program code in 15% of apps contained errors.
When it came to popularity ratings, their data indicated that, although they were quite representative for paid apps, they were sometimes even back-to-front in the case of free ones. Those that had supposedly been used most, were actually the least downloaded.
As if all of this weren’t enough, the researchers found that “developers often store secret authentication keys in their Android applications without realizing their credentials are easily compromised through decompilation.” The idea was to demonstrate that the system is vulnerable and highlight how any malicious user could use this to steal sensitive data from users of these apps.
Fortunately, these researchers have said that they are now working with Google, Facebook and Amazon (who were also involved) to resolve the problems they uncovered.
This is why Panda Security always strives to offer you maximum protection. The privacy audit feature in our antivirus for Android shows you the access rights of the apps you install on your device. You can see what permissions they have and which ones could end up costing you money.