In a paper presented—and awarded the prestigious Ken Sevcik Outstanding Student Paper Award—at the ACM SIGMETRICS conference on June 18, Jason Nieh, professor of computer science at Columbia Engineering, and PhD candidate Nicolas Viennot reported that they have discovered a crucial security problem in Google Play, the official Android app store where millions of users of Android, the most popular mobile platform, get their apps.
“Google Play has more than one million apps and over 50 billion app downloads, but no one reviews what gets put into Google Play—anyone can get a $25 account and upload whatever they want. Very little is known about what’s there at an aggregate level,” says Nieh, who is also a member of the University’s Institute for Data Sciences and Engineering’s Cybersecurity Center. “Given the huge popularity of Google Play and the potential risks to millions of users, we thought it was important to take a close look at Google Play content.”
Nieh and Viennot’s paper is the first to make a large-scale measurement of the huge Google Play marketplace. To do this, they developed PlayDrone, a tool that uses various hacking techniques to circumvent Google security to successfully download Google Play apps and recover their sources. PlayDrone scales by simply adding more servers and is fast enough to crawl Google Play on a daily basis, downloading more than 1.1 million Android apps and decompiling over 880,000 free applications.