Bugs in 12,700 Popular Android Applications Expose Hardcoded Passwords, Hidden Menus, and Security Backdoors, New Study Finds
Without mobile applications, your smart device is nothing more than an expensive feature phone with a big touchscreen display and a terrible battery life. We use mobile apps for all sorts of purposes, and we keep finding new ones that help us get through our workday or keep us entertained once it's over. It's easy to forget that these apps are created by real human beings who make mistakes. A recent research paper shows just how frequent these mistakes can be.
Table of Contents
The experiment
The problem with software bugs is that they are often difficult to locate. Large-scale research is not really feasible if experts need to manually reverse engineer apps one by one, which is why, a team of researchers from The Ohio State University, New York University, and CISPA Helmholtz Center for Information Security developed an automated tool called InputScope, which they used to analyze a total of 150 thousand Android applications. InputScope is designed to automatically find bugs in applications' code, and the experts were interested in high-impact mistakes, which is why they took some of the most popular Android apps.
They ranked the apps by the number of installs and took the top 100 thousand free applications from Google Play, and the top 20 thousand free apps from Baidu Market. They also included a total of 30 thousand versions of pre-installed apps on Samsung mobile devices.
It should be fairly obvious that finding all the bugs in 150 thousand mobile applications is not really possible. The experts focused on errors in which certain user input would result in unexpected or undocumented behavior.
The results
A whopping 12,706 applications were found to fit this bill, and the team of researchers evaluated the situation as "concerning." This is hardly surprising. Let's not forget that we're talking about applications used by millions of people. Close to one in every ten of them comes with a bug that, as we'll find out in a minute, could be quite serious sometimes.
What's more, although the experiment focused on Android apps, some of the test subjects share their codebase with their iOS equivalents, which means that yet more users might be affected.
The consequences
The nature of the unexpected behavior the apps demonstrated was almost as varied as the nature of the apps themselves. InputScope found quite a few hardcoded passwords and secret keys in many applications that unlock various hidden resources.
In some cases, they would open debug menus that were carried over from the development stages to the production app by mistake. Some apps would come with hardcoded secrets that unlock premium features or remove ads. More worryingly, the secret keys embedded in close to 7 thousand of the applications would give attackers access to personal data, which the experts classify as backdoor-life behavior.
This is a serious issue, but unfortunately, it wasn't handled as well as it should have been. The researchers contacted the developers of all affected apps, but unfortunately, some of them didn't respond. We shouldn't forget that we're talking about thousands of lines of code. Mistakes are inevitable, and unfortunately, sometimes, the consequences are serious. The sad part is that often, there's little you can do to protect yourself. That being said, if you are more careful with what you install on your phone, you are more likely to avoid the buggy apps.
