How Far are App Secrets from Being Stolen? A Case Study on Android

TL;DR

This study systematically analyzes Android app secret leakage, revealing widespread vulnerabilities, common bad practices, and demonstrating that many secrets can be easily stolen from popular apps, emphasizing the need for better security measures.

Contribution

First systematic characterization of Android app secret leakage issues, including categorization, security impact assessment, and demonstration of exploitability using automated analysis.

Findings

Numerous app secrets can be easily stolen from popular Android apps.

Common bad practices in storing app secrets were identified.

A large number of exploitable secrets were discovered through automated analysis.

Abstract

Android apps can hold secret strings of themselves such as cloud service credentials or encryption keys. Leakage of such secret strings can induce unprecedented consequences like monetary losses or leakage of user private information. In practice, various security issues were reported because many apps failed to protect their secrets. However, little is known about the types, usages, exploitability, and consequences of app secret leakage issues. While a large body of literature has been devoted to studying user private information leakage, there is no systematic study characterizing app secret leakage issues. How far are Android app secrets from being stolen? To bridge this gap, we conducted the first systematic study to characterize app secret leakage issues in Android apps based on 575 potential app secrets sampled from 14,665 popular Android apps on Google Play. We summarized the common categories of leaked app secrets, assessed their security impacts and disclosed app bad practices in storing app secrets. We devised a text mining strategy using regular expressions and demonstrated that numerous app secrets can be easily stolen, even from the highly popular Android apps on Google. In a follow-up study, we harvested 3,711 distinct exploitable app secrets through automatic analysis. Our findings highlight the prevalence of this problem and call for greater attention to app secret protection.