University researchers have found that developers often store authentication keys in the Android apps on Google Play, making it possible for criminals to steal corporate or personal data.
The major security threat has cast doubt on the effectiveness of the automated scanning tools Google uses to uncover malicious code and other problems that could pose a risk to users.
"If I'm a CISO, and I'm trying to make decisions about BYOD policies for my corporation, I might say, 'you know what – Android, not cool,'" Jonathan Sander, strategy and research officer for STEALTHbits Technologies, said.
Google, which has been notified of the problem, did not respond to a request for comment.
Columbia University researchers developed a tool they called PlayDrone that indexed and analyzed more than 1.1 million apps in Google Play, the official online store for people with smartphones and tablets running Google's Android operating system.
Using various hacking techniques, PlayDrone circumvented Google's technology to prevent indexing of store content and extracted the source code of more than 880,000 free applications.
In decompiling and analyzing the apps, the researchers discovered that "developers often store secret authentication keys in their Android applications without realizing their credentials are easily compromised through decompilation."
The authentication keys are used in making secure connections between apps and the servers they communicate with. If criminals get the keys, they could decrypt information the app stores on a remote server, even those belonging to a cloud service provider, such as Amazon Web Services or Facebook, the researchers said.
"If there is corporate data in the cloud, and a company had an app that had the secret keys in it, someone could potentially steal data from the cloud," Jason Nieh, co-author of the research report, said in an email.
Some apps connecting to Facebook were found to contain authentication keys, Nieh said. Once notified, Facebook stopped accepting the keys, which forced the developers to change the apps to continue working with the service.
"How substantial the changes are depends on the service provider and the app," Nieh said. "In some cases, the changes can be substantial."
If a criminal finds an Android app with the keys stored inside, then it would be "pretty trivial" to decompile the app as the researchers did, Theodora Titonis, vice president of mobile security for Veracode, said.
"There are tools readily available to do that," she said.
The most likely reason developers would store such an important component in the app is to avoid writing the additional code required to store the keys on the server, where they would be more secure, Titonis said.
"There's more complexity," she said.
Mobile app developers are notorious for reducing their workload by cutting corners on security. In most cases, getting the app out to market as quick as possible trumps better protection for users, experts say.
A study conducted last year by Hewlett-Packard found that 86 percent of the mobile apps published by 600 Forbes Global 2000 companies did not have adequate security in place to defend against the most common exploits.