Researchers: Many Android apps contain private keys

Spread the love

Researchers from Columbia University have discovered that thousands of apps in the Play Store contain private keys, for example for Amazon Web Services. Those private keys could be stolen by malicious parties.

The vulnerability was discovered by researchers at Columbia University. It involves thousands of apps. This concerns keys for services such as Amazon Web Services, Facebook and LinkedIn. More than 6,000 Twitter keys were found.

There is no reason to provide private keys; it is unknown why the apps do it anyway. According to the researchers, developers who are classified by Google as ‘top developers’ are also guilty of the security problem.

The researchers have worked with Google, as well as Amazon and Facebook, to contain the security problem. In addition, Google now automatically scans apps in the Play Store for existing private keys. Developers who provide private keys are warned to stop doing so.

The developers discovered the vulnerability by automatically downloading apps from the Play Store and then analyzing them automatically. They built a tool for that, PlayDrone. Thanks to this tool, the researchers also report that a quarter of the apps in the Play Store are exact copies of apps that were already in the Play Store.

You might also like