Android apps ‘need to follow better security practice’

This article was updated on May 19th to include I/O developments.

Many Android apps in Google Play are still not following best practice when it comes to authentication and authorization.

Writing on its Android Developers Blog, Isabella Chen, a software engineer at Google, said that this can leave apps “vulnerable to attack”.

It is important that developers make their applications as secure as possible, so that they are protected from all sorts of threats.

Ms. Chen listed some of the possible lines of attack that cybercriminals can exploit with vulnerable apps.

These include email or user ID substitution attack and access token substitution attack.

“After signing in with Google on Android, some apps directly send email or user ID in plain text to their backend server as the identity credential,” the expert explained with reference to the former.

“These server endpoints enable a malicious attacker to easily forge a request and gain access to any user’s account by guessing their email/user ID.”

With regards to the latter, Ms. Chen highlighted that this security gap is to do with developers continuing to use legacy Plus.API / GoogleAuthUtil.getToken.

Again, after signing in with Google on Android, many apps dispatch an access token – secured through GoogleAuthUtil.getToken – “to their backend server as the identity assertion”.

“Access tokens are bearer tokens and backend servers cannot easily check if the token is issued to them,” she elaborated.

“A malicious attacker can phish the user to sign-in on another application and use that different access token to forge a request to your backend.”

In related news, Google’s annual software developer-focused conference, I/O, launches today, with some interesting security revelations.

For example, it was revealed that Android N, the latest version of the tech giant's mobile operating system, will come with file-based encryption.

According to Quartz, Dave Burke, vice president of engineering at Android, said at the event that the SafetyNet feature crack down on apps that appear to be behaving maliciously.