
Amazon Is Downloading Apps From Google Play and Inspecting Them - rajbala
http://blog.rajbala.com/post/81038397871/amazon-is-downloading-apps-from-google-play-and
======
BrandonM
This seems to be the natural outcome of Amazon's excellent customer service
policy, where they have on numerous occasions[0] refunded costs for hacked
instances. When they commit to that policy, they have a huge incentive to
limit customer security breaches.

I love examples like that where a company's policies result in incentives that
are so well-aligned with those of their users. Does anyone have other good
examples to share?

[0] [https://securosis.com/blog/my-500-cloud-security-
screwup](https://securosis.com/blog/my-500-cloud-security-screwup) and
[http://vertis.io/2013/12/17/an-update-on-my-aws-
bill.html](http://vertis.io/2013/12/17/an-update-on-my-aws-bill.html) are two
examples.

~~~
iano
Credit card companies are a good example of the this too. Since they're
responsible for fraudulent charges, there's a huge incentive for them to
detect them.

~~~
protomyth
Although Walmart in their lawsuit against Visa for fees pointed out that Visa
is slowing the adoption of security features in the US.
[http://www.foxbusiness.com/industries/2014/03/27/wal-mart-
fi...](http://www.foxbusiness.com/industries/2014/03/27/wal-mart-files-suit-
against-visa-for-m/)

------
Aqueous
I don't think they are inspecting the app ; they don't need to. They can see
that there are a higher-than-average number of API accesses from a given
platform, using the AWS Secret Key as the login credential.

~~~
rajbala
I don't think they're looking for higher than average API calls for a given
key because my charges were completely expected.

~~~
jakirk42
raj, just saw your post on here. I was wondering if you were the same guy
Dennis in Delaware was trying to connect us to. We were doing the large scale
touchscreen collaboration stuff

~~~
rajbala
Nope, not I. :)

~~~
jakirk42
Ok thanks lol

------
ch0wn
Facebook does the same thing. I got a notice about an application I published
years ago in March:

> Security Notice - Your App Secret

> We see that your app, XYZ, is embedding the Facebook integration’s App
> Secret inside the Android Play Store app bundle for your app. This is a
> serious vulnerability that violates our published recommendations for proper
> login security. Someone with access to the app secret for your app can act
> on behalf of the app - this includes changing configurations for the app,
> accessing some types of information associated with people who have granted
> permissions to the app, and posting on behalf of those people.

> To mitigate this sizable risk, we have reset the app secret for your app. If
> your app is mobile-only, this should not cause any issues. If it has a
> server-side component, there is a greater likelihood that it has caused some
> issues for your app that you will need to address. Going forward, please do
> not include the app secret in your app bundle, or disclose it publicly. You
> can read more about app secrets and how to secure your Facebook app here.

~~~
MasterScrat
Now this is interesting. Could we imagine a service that would be in charge of
protecting your customers secrets?

You would provide a list of secret strings, and ask to have them monitored on
search engines but also from mobile applications, browser extensions,
published JARs etc.

~~~
TheLoneWolfling
NOOOOOOOOOOO

But seriously, treat them like passwords.

Don't have the service store the secrets, have the service store hashes of the
secrets with a regex for prefiltering (because hashing every word everywhere
would be prohibitively expensive).

~~~
MasterScrat
> Don't have the service store the secrets

Why not? You can use the service to make sure it doesn't leak its own secrets
so it's safe ;-)

But seriously yes I really like your approach.

You could even provide a second set of API to do the opposite: given a block
of text see if there's any sensitive string inside. Google & co could use it
before publishing an app in their Store.

~~~
michaelmior
Either way you still have to trust another third party to keep your secrets
safe. Even if the secrets weren't publicly leaked, any comrpomise to this
service affects any service whose keys you have stored there.

------
justinph
That's actually kind of awesome. Good on Amazon for taking security seriously.

~~~
septerr
That's exactly how I felt. And they wrote such a detailed email with helpful
links and everything.

~~~
gamegoblin
If they are really downloading apps to inspect, I suspect the email is an
automated template.

~~~
kruk
But someone went through the trouble of writing the template. Most companies
wouldn't even bother checking apps in the first place.

------
nknighthb
I understand perfectly how people end up mistakenly pushing credentials into
public source repos when releasing server-side stuff. But I don't get how a
seemingly sane person develops an application intended for distribution to the
public which contains AWS credentials.

At what point in your development process do you say "I want this application,
which will be distributed to unknown persons, to contain the means to control
my AWS account."?

~~~
Kudos
Some people don't realise their apps can be decompiled, it's not a question of
sanity.

~~~
nknighthb
I don't think I've ever encountered that particular illusion in anyone making
a living off writing compiled code, only very new developers and non-engineer
managers. It's one of the few securityish things that seems to be successfully
beaten into everyone's head pretty early on.

(And more often than not, they get there all by themselves -- such people
usually appear on my radar asking questions showing they've figured out for
themselves that it's a bad idea, they just need help turning that knowledge
into practice.)

~~~
saurik
I give talks at development conferences where I mostly blow people's minds by
showing how easy it is to pull information out of binaries (both statically
and dynamically); there are always tons of questions from the audience
afterwards about "but we do X? doesn't that make us safe?", so I have to sit
there shooting down a ton of silly ways of obfuscating their data, showing how
each one could be defeated, but it "clicks" for everyone that there is no safe
way to do this.

------
natch
Anyone who reads the article can see that the author is drawing conclusions
from conjecture.

"We were made aware" does not equal "we are downloading apps and inspecting
them."

If they were doing that, that would be great! But let's not leap to
conclusions.

~~~
rajbala
They (or someone working with them) would have had to download the app and
inspect it. They clearly tell me that they've detected access credentials in
the app itself.

That's not conjecture.

------
downandout
I see nothing wrong here. They are probably doing this now because it in fact
a major problem, even with large, professionally developed apps. About 8
months ago I did a brief analysis of the then-current Vine apk and relatively
quickly extracted their S3 credentials (they were not stored in plain text,
but close enough). Very bad idea.

~~~
MasterScrat
The number of valid EC2 keys you can find with a simple GitHub search is mind-
blowing (or was, at least, when I tried it a month ago).

------
smilliken
MixRank analyzes mobiles apps (android and ios) and we often see apps with
embedded api secrets, private keys, and passwords. It's really surprising.

If you'd like to send an email like this to your users, send me an email (in
profile) and I can query our database and check to see if any of them are
including their api keys.

------
immad
Couldn't they just look at the user agent and know that the hit to their API
is coming from an Android device rather than a server?

~~~
RoboTeddy
[http://developer.android.com/reference/java/net/HttpURLConne...](http://developer.android.com/reference/java/net/HttpURLConnection.html)
might not have a default User-Agent header that identifies android

~~~
brown9-2
Of course a developer could change this, but yes the default user-agent string
for an Android app using HttpURLConnection identifies it clearly as Android:
[http://www.gtrifonov.com/2011/04/15/google-android-user-
agen...](http://www.gtrifonov.com/2011/04/15/google-android-user-agent-
strings-2/)

------
incogmind
They did a good thing, title feels slightly misguiding. Could they have
figured it out based on API access locations being random?

~~~
rajbala
What's misguiding?

No intention to misguide. I think it's completely accurate. They downloaded my
app, inspected it, found AWS credentials and emailed me as a result.

~~~
brown9-2
I think the misguiding part (or at least, what the tone suggests) is that the
order of events is 1) Amazon downloading and scanning all apps and then 2)
looking for AWS credentials in the code.

~~~
rajbala
I think that is what's happening. They would have no other way to identify my
app and my AWS credentials otherwise.

------
orblivion
I wonder how they would identify a string that appears to be an API secret,
and queries their database for it. For every plausible string in every app? I
guess they decompile it and find string literals of the correct length?

~~~
alttab
AWS knows the clients that are connecting to it. All they have to detect is
that a large amount of traffic is coming from a wide distribution of mobile
devices. This is indicative they embedded the creds into the APK. If they got
the creds from a server during runtime, it would be safer to proxy to AWS
_through_ the server itself, and never distribute the sensitive data. This
would result in only a few proxies connecting to AWS.

Amazon surely has automated this with monitoring. I doubt they ever scan
Google Play and download the APKs and scan them. Not only is that extremely
wasteful it's most definitely violating the Google Play terms of service.

~~~
brown9-2
It wouldn't even need to be a "large amount of traffic", just traffic using
the AWS secret key from more than a handful of IP addresses in the same time
window would be suspicious.

------
goombastic
This is probably a good thing and also automated.

~~~
alttab
It could have raised alarms and then personally investigated. You Could
monitor distribution of AWS connections per client. You could easily determine
that accessing the same account from many android devices is probably result
of poor security practices.

------
happywolf
I will think they inspect apps based on the number of hits generated to AWS.

The advantages of doing this are 1) showing Amazon thinks for the customers
(well, also for itself) 2) proves it has pro-actively notified the customer
and done its due diligence.

This step could serve as a solid proof in any dispute on later security issues
or/and related costs.

Smart, I will say.

------
olalonde
I'm curious why some apps need API to access to AWS. What's the use case?
Surely not to spin up an EC2 instance when the user clicks a button? Save
files to S3? I'm not being sarcastic, genuinely curious. And what's the
proposed solution suggested by AWS?

~~~
rajbala
Save files to S3.

~~~
Turing_Machine
You can do that with signed forms and similar techniques, though. No need to
have the key on the client side (and lots of reasons not to).

~~~
Turing_Machine
The flow is roughly this:

1) Client: "Hey, I want to upload a file."

2) Server: "Okay, here's a temporary key good for the next <n> minutes. The
file has to be named <blah> and can't be more than <x> MB long" (there are
other restrictions you can set, too, IIRC)

3) Client posts the form to S3 including the temporary key as a field.

4) Result.

------
catshirt
great for them. i worked for an unnamed company who was shipping AWS
credentials in clients for years. worse, they were not clients that required a
packaged binary (no need to decompile). it's long since patched but i can't
believe no one ever sniffed that out.

------
woloski
We wrote a blog post that shows how you can authenticate your users and get
temporary security credentials from AWS based on the user tokens to avoid
putting your keys on the client (both JavaScript apps in the browser or native
apps). This technique is using Auth0 so you don't have to deploy a TVM and it
works with all the APIs (S3, EC2, SQS, SES, etc.). Behind the scenes what we
do is generating a SAML Token based on the user JSON Web Token and exchange
that for AWS Temp Credentials using AssumeRoleWithSAML AWS API.

[http://blog.auth0.com/2014/03/25/consume-aws-apis-from-
the-b...](http://blog.auth0.com/2014/03/25/consume-aws-apis-from-the-browser-
securely/)

------
magic_haze
Does Google Play have a public API for downloading APKs? Does it work for paid
apps as well? (I'm not able to construct good keywords for search here: Google
thinks I'm looking for an APK for the store app instead)

~~~
kanzure
> Does Google Play have a public API for downloading APKs? Does it work for
> paid apps as well?

There's no "public API" but have fun: [https://github.com/kanzure/googleplay-
api](https://github.com/kanzure/googleplay-api)

(because otherwise how does Google Play itself participate in downloading
apps?)

------
mobiplayer
Well, this is very cool and an approach that some security companies are
taking at the moment. "Security outside your network" they call it.

I'm myself working (side/pet project so far) in something similar. I don't
have any working software at the moment but some "INTEL" and it is incredible
how easy anyone would be able to compromise/hurt people and companies just
using available information published by themselves.

If anyone more technical (I'm looking at you, devs!) wants to team up to
create a service like this please get in touch.

------
travelton
I hope other developers see this and take action if they aren't properly
securing cloud API keys. Data access by an unauthorized party is not something
you want to deal with.

------
jhgg
I wonder if any malicious parties have been doing this as well.

~~~
good_guy
That's exactly what Amazon trying to prevent.

------
jbert
I'm being dumb. I can see that it is preferable to embed credentials for a
restricted IAM acct, not your root/master AWS account.

But how does using a TVM improve the situation? Surely you still need to embed
creds which allow the app to use the TVM? In that case, an attacker can
extract _those_ creds, and ask the TVM for a time-limited token any time they
like.

How does using a TVM improve security over embedding the creds of a restricted
account?

~~~
duncans
Your token service would authenticate users using their credentials for your
system.

~~~
jbert
Still not sure how that helps. In both cases, we have creds embedded in the
app which can be used (and only used) for access to the AWS resource.

In one case directly (via an IAM limited account), in another via a token they
can request. In both cases, the acct is limited to one specific AWS resource.
In both cases, the creds can be revoked centrally. In both cases the creds are
embedded in the app.

Smart people who build these things (AWS) seem to think a TVM is a better
solution. I don't understand why.

------
rrtwo
What are common use cases for AWS in mobile apps? (where the app needs direct
connection to AWS)

~~~
rajbala
Reading/writing to S3 was my use case. I'm sure there are others.

------
salvadormrf
They also scan for Keys on github. They are proactive in terms of security!

------
kayoone
a free security audit of your app, pretty cool ;)

------
ediblenergy
Or somebody else found it and notified Amazon.

------
3327
Was your source obfuscated?

~~~
andrewguenther
Does it matter? A constant string is a constant string.

~~~
thaumasiotes
Well, if you want to obfuscate a constant string in your code, you can, e.g.
by generating it dynamically from summing two hardcoded integer arrays. Not to
say you should, but you can.

~~~
claudius
That sounds an awful lot like DRM with all its failed approaches…

~~~
thaumasiotes
Sounds like? That's what obfuscation is (or more accurately, obfuscation is
what DRM is). No one ever claimed, or ever will claim, that obfuscation stops
people from seeing what you're doing.

------
bborud
Kudos to Amazon.

------
hoboerectus
So am I.

------
Fasebook
Ultimately, Web Identity Federation or Federated Identity is the only way to
secure apps in walled gardens, which means aligning yourself with a virtual
land Barron. I, for one, welcome our new fiefdom overlords. Everything else is
just pushing new credentials through temp credentials and obfuscating it with
protocol complexity.

------
snapclass
Go on you Amazon.

------
dalek2point3
is decompiling an app legal? does it not break someone's terms of service?

~~~
yaur
Decompilation isn't even needed. They know the credential being sent so an
_if(strings | grep -c "foo") != 0 SendEmail()_ is all that is required.

------
iancarroll
One of the things that justifies the higher prices.

+1

------
alttab
Conjecture, and I guess you're welcome? My guess is if you embedded your
Google cloud credentials in your app and it was compromised Google would be
happy to bill you, terminate your account, or otherwise provide zero latitude
as a customer. At least they dropped their prices, right?

