Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Many Mobile Apps Unnecessarily Leak Hardcoded Keys: Analysis

Some third-party applications unnecessarily store keys or secrets that could be abused to leak a variety of user credentials and other type of sensitive data, software security startup Fallible warns.

Some third-party applications unnecessarily store keys or secrets that could be abused to leak a variety of user credentials and other type of sensitive data, software security startup Fallible warns.

Using a tool designed to reverse engineer Android applications, Fallible discovered that many mobile applications contain hardcoded keys or secrets that should not be there in the first place.

These keys can leak data related to some of the most popular online services, including Twitter, Flickr, Dropbox, Slack, and Uber, as well as Amazon AWS (Amazon Web Services) data, which could be incredibly damaging to both users and affected companies. Although the percentage of insecure apps is small, their existence is still worrisome, researchers say.

The tool used to reverse-engineer Android apps and discover secrets stored in them is accessible online and has been used to analyze around 16,000 apps since its initial launch in November 2016. While most of the apps didn’t have any sort of key or secret in them, 2,500 were found to actually pack hardcoded keys or secrets pertaining to a third-party service.

“Some keys are harmless and are required to be there in the app for example Google’s API key but there were lots of API secrets as well which definitely shouldn’t have been in the apps,” Fallible reveals. 304 such applications were filtered out in the end.

The issue is that secrets that are unnecessarily stored in these apps can leak a great deal of sensitive information, Abhishek Anand, Fallible co-founder, told SecurityWeek.

“The type of secret leaks we found in Android apps ranged from AWS credentials some with full access which could be used to shutdown services and lead to data leak and destruction, API secrets of various services like Uber, Twitter, Dropbox, Instagram and Stripe secret key, SMTP server credentials, MySQL/RDS/Mongo credentials along with connection string which in turn leads to user data leak and more,” he said.

One of the analyzed applications, pertaining to a transportation startup, was found to be leaking a key that could be used to access data for all customers. The affected data included support emails and chats, phone numbers, personal details and more.

“The API keys could be used to disrupt services by using up predefined quotas at the 3rd party service providers and in some cases even leak data stored with them. Some of the keys even made no sense in being kept on the client side, but were exposed along with other keys in a single file,” Anand said.

According to Fallible, 102 of the third-party apps containing unnecessarily hardcoded keys and secrets impact Twitter, while 59 of them impact Urban Airship. Amazon AWS landed on the third position with 10 leaky apps (some of these apps had full privilege of creating/deleting instances), followed by Wootric and Instagram with 8 apps each, and Tapjoy with 7 apps.

According to Fallible, application developers should always carefully consider whether they need to hardcode an API key/token in their app each and every time they do so. They also encourage developers to make sure they understand the API usage and to read/write scope of the tokens before putting them in the apps.

“Any mention of secret credentials in client side code is generally a bad idea since the user can almost always find [them] out no matter how obfuscated [they are],” Anand also told us.

Third-party services are advised to clearly warn/instruct the developers not to put these secrets in their apps, as well as to create multiple API secrets with different scopes if required.

Related: Majority of Top Android Apps Easily Reverse Engineered: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.