Dear Google, your app store has a decompiling problem

Dear Google Play team:

Thank you for creating and managing Android’s largest app store, which now serves as the central hub for the largest smartphone platform in the world. Thanks as well for Android’s open architecture, which has made it possible for billions of people across the globe to cheaply access the Internet and a lot of great digital content, often for the first time.

But with respect, let me say that Android’s very openness has contributed to a growing problem that must be addressed immediately. We share the concerns you recently publicized about security issues on some Android phone models. But our concerns over Google Play have only grown worse since I outlined some key issues with the platform in August. Since then, we have seen several serious security breaches stemming from Google Play. I fear many more are to come, especially as we enter the holidays, when app-based shopping is certain to increase.

Here is why:

The Problem with Decompiling

My team and I recently conducted a thorough search for Android apps on Google Play that can be decompiled. A decompilable app can have its code reverse engineered through the apps’ shared object library and DEX file — a process quite simple with malicious hacker tools widely available on the Internet.

You can read the full results here. What we discovered was sobering: 85 percent of Google Play’s top 200 free Android apps are left unprotected against decompiling. Decompilable apps on Google Play include extremely popular and well known messaging/photo sharing services, games, music/video streaming services, financial services, and ironically, several antivirus apps. All of them are vulnerable to malicious hacking, including piracy and malware injection. To cite just one past example, Snapchat’s well-documented problems with parasite apps are likely made possible through decompiling. (Read further explanations of the dangers from decompiling on our Medium blog.)

When discussing these concerns with developers or even your fellow colleagues at Google, we are often told that protection of the source code (such as that offered by obfuscation tools like Proguard, recommended by your own company) will be sufficient. Unfortunately, this is not the case. Since source code is viewable as plain text, it’s relatively easy to analyze even after it has been obfuscated. Which takes us to the broader problem we now face:

The Unintended Consequences of Google’s Openness

In many ways, this state of things is a self-fulfilling prophecy. Google had the best intentions in making Android open source, choosing the open source Java development language, and then running Google Play with an open market policy. But Java’s very nature in using a virtual machine means it’s extremely easy to decompile an app’s bytecode and see 99 percent of the original source code, which can lead to app tampering, IP theft, and the identification of zero day and one day vulnerabilities. In addition, Google Play’s open nature makes it easier to download these decompilable apps and upload apps harboring malicious code.

Perhaps if the Google Play team closed its platform and overlaid it with a rigorous review system, as Apple has, Android users would be far safer. But ironically, in doing so, Google Play and Android itself would lose the very essence of what they are and stand for. So perhaps we are at an impasse.

All is not lost, however.

Building a Safer Google Play

As Google has the most talented teams of engineers in the entire world, I am quite confident that they are well aware of this decompiling problem. It’s my hope that you are working on a solution even now, even though it will require substantial commitment and resources on your part.

But while we wait for whatever server or device-based solution you are hopefully developing, my recommendation is that you double or even triple your outreach to Android developers and consumers. For developers, this means adding binary protection to their apps before they are pushed to your platform, and overall, learn to approach development with security in mind. For their part, Android consumers must understand the vulnerabilities inherent in their phone platform and take the time to learn best practices for keeping their handset secure.

Whatever solution you choose, Google Play, I wish you a speedy success. Billions of Android owners are depending on you.

Sincerely,

Min-Pyo Hong

Min-Pyo Hong is CEO and founder of SEWORKS, a San Francisco-based security solutions developer. He has advised corporations, NGOs, and governments on digital security issues for over 20 years and led a team of five-time finalists at DEFCON.