A recent scan of the Google Play market found that Android apps contained thousands of secret authentication keys that could be maliciously used to access private cloud accounts on Amazon or compromise end-user profiles on Facebook, Twitter, and a half-dozen other services.
The finding is the result of PlayDrone, a system that uses a variety of hacking techniques to bypass security measures intended to prevent third parties from crawling Google Play. The brainchild of computer scientists at Columbia University, PlayDrone comprehensively indexed Play contents, downloaded more than 1.1 million apps, and decompiled more than 880,000 of them. It is believed to be the first large-scale measurement of the sprawling Google marketplace, which offers more than one million apps and has fostered 50 billion app downloads to date.
One of the most surprising observations PlayDrone made was that many apps contain secret authentication keys that can compromise accounts belonging to both developers and end users. Source code for the official AirBnB app, for example, included secret OAuth tokens for Facebook, Google, LinkedIn, Microsoft, and Yahoo. The credentials were supplied by the service providers and act as a skeleton key of sorts that allows an app to access private account data for each user. By plucking them out of the AirBnB app, an attacker could use it to read and possibly modify or add data for millions of users' profiles.