CISPA Helmholtz Center Finds Hidden Functions Make Android Apps
April 3, 2020
team of cyber security researchers from the CISPA Helmholtz Center for
Information Security in Saarbrücken, Ohio State University, and New York
University has discovered that many mobile apps are hiding special
functions to users that that can allow hackers to compromise users’ and
mobile app infrastructure security.
In a large-scale study, a team of cyber security researchers, including
CISPA-Faculty Giancarlo Pellegrino, identified severe security issues in
several mobile phone apps. These are not typical vulnerabilities that
were inadvertently introduced by the programmers. “These problems look
very intentional. Many of these functionalities that are hidden or
covert to the user,” explains Pellegrino. “They allow others to access
private data or block content provided by users”.
150,000 apps were evaluated for this study. The 100,000 most downloaded
apps from the Google Play Store were examined. In addition, the 20,000
most downloaded apps from an alternative app store and 30,000
pre-installed apps on various Android smartphones were also included.
The research team found that 8.5 percent of the apps (12,706 apps)
contained something that could be described as “backdoor secret”. “In
other words, functions of the mobile apps that are hidden from users and
can be activated with special sequences or actions,” explains
Pellegrino. The researchers also found that some apps have built-in
“master passwords”. These allow anyone who has them to access the app
and any private data it contains. Some apps, in turn, have secret access
keys that trigger hidden options. “Among the other things, we also found
administrator interfaces that can be activated with secret sequences of
keys to bypass payments”, Pellegrino explains and added. “These are not
easter eggs, but functionalities that can override expected security
mechanisms. For example, we found apps that allow to unlock data with a
master password that is hardcoded in the app.”
“Both users and developers are all at risk if criminals get hold of
these ‘backdoor secrets,’” says Ohio State University Professor Zhiqiang
Lin in an elaborate article on the university’s website, The Ohio State
University News. Attackers could reverse-engineer the mobile apps to
Qingchuan Zhao, research assistant at Ohio State and lead author of this
study, said developers often mistakenly assume that reverse engineering
their apps would not pose a threat.
team also found another 4,028 apps (2.7 percent) that blocked content
with certain keywords subject to censorship, cyberbullying or
discrimination. The researchers were not surprised that apps could
restrict certain content. The way they did it, however, was, Professor
Lin explains in the detailed report on the university’s homepage. “We
also found apps enforcing censorship, where specific list of words,
e.g., political parties or political figures are forbidden to be used in
text”, says Pellegrino.
The research team has developed an open source tool called InputScope,
which is designed to help developers understand vulnerabilities in their
applications and show that the reverse engineering process can be fully
Other authors of this work are Chaoshun Zuo, also Ohio State, and
Brendan Dolan-Gavitt, New York.
The study was accepted for publication at the IEEE 2020 Symposium on
Security and Privacy in May. The conference has been cancelled due to
the global coronavirus (COVID-19) and is now online.