Nicolas Viennot
Jason Nieh
ABSTRACT
Although millions of users download and use third-party Android applications from the Google Play store, little information is known on an aggregated level about these applications. We have built PlayDrone, the first scalable Google Play store crawler, and used it to index and analyze over 1,100,000 applications in the Google Play store on a daily basis, the largest such index of Android applications. PlayDrone leverages various hacking techniques to circumvent Google's roadblocks for indexing Google Play store content, and makes proprietary application sources available, including source code for over 880,000 free applications. We demonstrate the usefulness of PlayDrone in decompiling and analyzing application content by exploring four previously unaddressed issues: the characterization of Google Play application content at large scale and its evolution over time, library usage in applications and its impact on application portability, duplicative application content in Google Play, and the ineffectiveness of OAuth and related service authentication mechanisms resulting in malicious users being able to easily gain unauthorized access to user data and resources on Amazon Web Services and Facebook.
- Amazon Web Services. IAM Best Practices, May 2010. http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html.Google Scholar
- Amazon Web Services. Creating Temporary Security Credentials for Mobile Apps Using Identity Providers. AWS Security Token Service, June 2011. http://docs. aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html.Google Scholar
- Amazon Web Services. Authenticating Users of AWS Mobile Applications with a Token Vending Machine. AWS Identity and Access Management, July 2013. http://aws.amazon.com/articles/4611615499399490.Google Scholar
- Amazon Web Services. Getting Started with the AWS SDK for Android. AWS SDK for Android, Sept. 2013. http://docs.aws.amazon.com/mobile/sdkforandroid/gsg/Welcome.html.Google Scholar
- AndroLib. http://www.androlib.com.Google Scholar
- AppBrain. http://www.appbrain.com.Google Scholar
- R. Bala. Amazon Is Downloading Apps From Google Play and Inspecting Them. Y Combinator Hacker News, Mar. 2014. https://news.ycombinator.com/item?id=7491272.Google Scholar
- Capistrano. http://capistranorb.com.Google Scholar
- Chef. http://www.getchef.com.Google Scholar
- R. Chirgwin. Amazon Is Decompiling Our Apps in Security Gaff Hunt, Says Dev. The Register, Mar. 2014. http://www.theregister.co.uk/2014/03/31/dev_lashes_out_at_amazon_for_decompiling_his_app.Google Scholar
- B.-G. Chun, S. Ihm, P. Maniatis, M. Naik, and A. Patti. CloneCloud: Elastic Execution Between Mobile Device and Cloud. In Proceedings of the 6th European Conference on Computer systems (EuroSys 2011), Apr. 2011. Google ScholarDigital Library
- J. Crussell, C. Gibler, and H. Chen. Attack of the Clones: Detecting Cloned Applications on Android Markets. In Proceedings of 17th European Symposium on Research in Computer Security (ESORICS 2012), Sept. 2012.Google ScholarCross Ref
- J. Crussell, C. Gibler, and H. Chen. AnDarwin: Scalable Detection of Semantically Similar Android Applications. In Proceedings of 18th European Symposium on Research in Computer Security (ESORICS 2013), Sept. 2013.Google ScholarCross Ref
- Death by Captcha. http://www.deathbycaptcha.com.Google Scholar
- A. Desnos. Androguard. https://code.google.com/p/androguard.Google Scholar
- dex2jar. http://code.google.com/p/dex2jar.Google Scholar
- N. d'Heureuse, F. Huici, M. Arumaithurai, M. Ahmed, K. Papagiannaki, and S. Niccolini. What's App?: A Wide-Scale Measurement Study of Smart Phone Markets. Mobile Computing and Communications Review, 16(2):16--27, Apr. 2012. Google ScholarDigital Library
- Elasticsearch. http://www.elasticsearch.org.Google Scholar
- W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th USENIX Security Symposium, Aug. 2011. Google ScholarDigital Library
- Facebook. Login Security. https://developers.facebook.com/docs/facebook-login/security.Google Scholar
- A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner. A Survey of Mobile Malware in the Wild. In Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM 2011), July 2011. Google ScholarDigital Library
- C. Gibler, R. Stevens, J. Crussell, H. Chen, H. Zang, and H. Choi. AdRob: Examining the Landscape and Impact of Android Application Plagiarism. In Proceedings of the 11th International Conference on Mobile Systems, Applications, and Services (MobiSys 2013), June 2013. Google ScholarDigital Library
- E. Girault. Google Play Unofficial Python API. https://github.com/egirault/googleplay-api.Google Scholar
- M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang. RiskRanker: Scalable and Accurate Zero-day Android Malware Detection. In Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services (MobiSys 2012), June 2012. Google ScholarDigital Library
- B. Gruver. smali/baksmali assembler/disassembler. https://code.google.com/p/smali.Google Scholar
- S. Hanna, L. Huang, E. X. Wu, S. Li, C. Chen, and D. Song. Juxtapp: A Scalable System for Detecting Code Reuse Among Android Applications. In Proceedings of the 9th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2012), July 2012. Google ScholarDigital Library
- M. Kotadia. AWS Admits Scanning Android App in Secret Key Hunt. iTnews, Apr. 2014. http://www.itnews.com.au/News/381432, aws-admits-scanning-android-app-in-secret-key-hunt. aspx.Google Scholar
- MixRank. http://www.mixrank.com.Google Scholar
- R. Mogull. My $500 Cloud Security Screwup-UPDATED. Securosis Blog, Jan. 2014. https://securosis.com/blog/my-500-cloud-security-screwup.Google Scholar
- M. Perham. Sidekiq. http://sidekiq.org.Google Scholar
- C. K. Roy, J. R. Cordy, and R. Koschke. Comparison and Evaluation of Code Clone Detection Techniques and Tools: A Qualitative Approach. Sci. Comput. Program., 74(7):470--495, May 2009. Google ScholarDigital Library
- S. Sanflippo. Redis. http://redis.io.Google Scholar
- A. Thiel. Android-market-api. https://code.google.com/p/android-market-api.Google Scholar
- C. Tumbleson. Android-apktool. http://code.google.com/p/android-apktool.Google Scholar
- Twitter. Implementing the Twitter OAuth flow in Android. https://dev.twitter.com/docs/implementing-twitter-oauth-flow-android.Google Scholar
- N. Viennot. Java Library for JD-Core. https://github.com/nviennot/jd-core-java.Google Scholar
- N. Viennot. PlayDrone sources. https://github.com/nviennot/google-play-crawler.Google Scholar
- C. Warren. Google Play Hits 1 Million Apps. Mashable, July 2013. http://mashable.com/2013/07/24/google-play-1-million.Google Scholar
- Y. Zhang, G. Huang, X. Liu, W. Zhang, H. Mei, and S. Yang. Refactoring Android Java Code for On-Demand Computation Offloading. In Proceedings of the 27th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA 2012), Oct. 2012. Google ScholarDigital Library
- W. Zhou, Y. Zhou, M. C. Grace, X. Jiang, and S. Zou. Fast, Scalable Detection of "Piggybacked" Mobile Applications. In Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy (CODASPY 2013), Feb. 2013. Google ScholarDigital Library
- W. Zhou, Y. Zhou, X. Jiang, and P. Ning. Detecting Repackaged Smartphone Applications in Third-party Android Marketplaces. In Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy (CODASPY 2012), Feb. 2012. Google ScholarDigital Library
- Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP 12), May 2012. Google ScholarDigital Library
- Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security (NDSS 2012), Feb. 2012.Google Scholar
Index Terms
- A measurement study of google play
Recommendations
Understanding the Evolution of Mobile App Ecosystems: A Longitudinal Measurement Study of Google Play
WWW '19: The World Wide Web ConferenceThe continuing expansion of mobile app ecosystems has attracted lots of efforts from the research community. However, although a large number of research studies have focused on analyzing the corpus of mobile apps and app markets, little is known at a ...
Beyond Google Play: A Large-Scale Comparative Study of Chinese Android App Markets
IMC '18: Proceedings of the Internet Measurement Conference 2018China is one of the largest Android markets in the world. As Chinese users cannot access Google Play to buy and install Android apps, a number of independent app stores have emerged and compete in the Chinese app market. Some of the Chinese app stores ...
A measurement study of google play
Performance evaluation reviewAlthough millions of users download and use third-party Android applications from the Google Play store, little information is known on an aggregated level about these applications. We have built PlayDrone, the first scalable Google Play store crawler, ...
Comments