Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Many Mobile Apps Unnecessarily Leak Hardcoded Keys: Analysis

Some third-party applications unnecessarily store keys or secrets that could be abused to leak a variety of user credentials and other type of sensitive data, software security startup Fallible warns.

Some third-party applications unnecessarily store keys or secrets that could be abused to leak a variety of user credentials and other type of sensitive data, software security startup Fallible warns.

Using a tool designed to reverse engineer Android applications, Fallible discovered that many mobile applications contain hardcoded keys or secrets that should not be there in the first place.

These keys can leak data related to some of the most popular online services, including Twitter, Flickr, Dropbox, Slack, and Uber, as well as Amazon AWS (Amazon Web Services) data, which could be incredibly damaging to both users and affected companies. Although the percentage of insecure apps is small, their existence is still worrisome, researchers say.

The tool used to reverse-engineer Android apps and discover secrets stored in them is accessible online and has been used to analyze around 16,000 apps since its initial launch in November 2016. While most of the apps didn’t have any sort of key or secret in them, 2,500 were found to actually pack hardcoded keys or secrets pertaining to a third-party service.

“Some keys are harmless and are required to be there in the app for example Google’s API key but there were lots of API secrets as well which definitely shouldn’t have been in the apps,” Fallible reveals. 304 such applications were filtered out in the end.

The issue is that secrets that are unnecessarily stored in these apps can leak a great deal of sensitive information, Abhishek Anand, Fallible co-founder, told SecurityWeek.

“The type of secret leaks we found in Android apps ranged from AWS credentials some with full access which could be used to shutdown services and lead to data leak and destruction, API secrets of various services like Uber, Twitter, Dropbox, Instagram and Stripe secret key, SMTP server credentials, MySQL/RDS/Mongo credentials along with connection string which in turn leads to user data leak and more,” he said.

One of the analyzed applications, pertaining to a transportation startup, was found to be leaking a key that could be used to access data for all customers. The affected data included support emails and chats, phone numbers, personal details and more.

Advertisement. Scroll to continue reading.

“The API keys could be used to disrupt services by using up predefined quotas at the 3rd party service providers and in some cases even leak data stored with them. Some of the keys even made no sense in being kept on the client side, but were exposed along with other keys in a single file,” Anand said.

According to Fallible, 102 of the third-party apps containing unnecessarily hardcoded keys and secrets impact Twitter, while 59 of them impact Urban Airship. Amazon AWS landed on the third position with 10 leaky apps (some of these apps had full privilege of creating/deleting instances), followed by Wootric and Instagram with 8 apps each, and Tapjoy with 7 apps.

According to Fallible, application developers should always carefully consider whether they need to hardcode an API key/token in their app each and every time they do so. They also encourage developers to make sure they understand the API usage and to read/write scope of the tokens before putting them in the apps.

“Any mention of secret credentials in client side code is generally a bad idea since the user can almost always find [them] out no matter how obfuscated [they are],” Anand also told us.

Third-party services are advised to clearly warn/instruct the developers not to put these secrets in their apps, as well as to create multiple API secrets with different scopes if required.

Related: Majority of Top Android Apps Easily Reverse Engineered: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.