The Google Play Store is the focal point of most Android users’ digital world; the go-to portal for apps, games, movies, books, music, and other such wondrous content. But even though Google’s stringent moderation system ensures that infiltration by malicious software is kept to a minimum, there appears to a fundamental flaw in the Play Store’s infrastructure that leaves users potentially vulnerable to having their passwords and personal credentials logged without explicit consent.
Given Android’s open source nature, it is in a constant battle to remain clear of the continual wave of malware out to hack devices, steal passwords, and generally cause nuisance. Third-party app stores certainly don’t help in Google’s ongoing quest to keep users safe from these kinds of attacks, but as per a new piece of research by a computer science professor and PhD student at Columbia, the search giant’s own house isn’t quite in order.
As discovered by professor Jason Nieh and PhD student Nicolas Viennot, developers of third-party apps often log usernames and passwords of sites and networks ranging from Facebook to Amazon, and even when an app is deleted, this information is retained.
The pair compiled a special tool that mass-downloaded 1.1 million Android apps. From there, the tool also then decompiled the apps and found that frequently, developers are bundling secret keys that scan for personal data, and even after you decide to wipe an app from your Android device, the personal info may still be at large.
It’s a worrying trend that seems even to be affecting apps from so-called Top Developers of the Play Store, and at a time where transparency over user privacy is at an all-time high, this seems a very flagrant breach of position.
It’s worth pointing out that it’s not the official Facebook, Amazon etc. apps that are problematic, but Google has nevertheless responded by notifying developers that they must cease this kind of activity. The authors of the research paper are also working with the likes of Google, Facebook and Amazon to ensure that affected Android users are made aware of the issue and can adjust their personal info if need be.
Google has also pledged to implement measures to prevent developers nabbing such data in the future, and hopefully, the situation can be rectified quickly and effectively.
The full exposé on the rather unscrupulous activity can be seen here.
You may also like to check out: