A team of cybersecurity researchers has discovered that a large number of cell phone applications contain hardcoded secrets allowing others to access private data or block content provided by users. The study’s findings: that the apps on mobile phones might have hidden or harmful behaviors about which end users know little to nothing.

The study’s findings: that the apps on mobile phones might have hidden or harmful behaviors about which end users know little to nothing, said Zhiqiang Lin, an associate professor of computer science and engineering at The Ohio State University and senior author of the study.

The study has been accepted for publication by the 2020 IEEE Symposium on Security and Privacy in May. The conference has moved online because of the global coronavirus (COVID-19) outbreak.

Typically, mobile apps engage with users by processing and responding to user input, Lin said. For instance, users often need to type certain words or sentences, or click buttons and slide screens. Those inputs prompt an app to perform different actions.

For this study, the research team evaluated 150,000 apps. They selected the top 100,000 based on the number of downloads from the Google Play store, the top 20,000 from an alternative market, and 30,000 from pre-installed apps on Android smartphones.

They found that 12,706 of those apps, about 8.5 percent, contained something the research team labeled «backdoor secrets» — hidden behaviors within the app that accept certain types of content to trigger behaviors unknown to regular users. They also found that some apps have built-in «master passwords,» which allow anyone with that password to access the app and any private data contained within it. And some apps, they found, had secret access keys that could trigger hidden options, including bypassing payment.

Story Source: Materials provided by Ohio State University. Original written by Laura Arenschield. Note: Content may be edited for style and length.