Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Many Mobile Apps Unnecessarily Leak Hardcoded Keys: Analysis

Some third-party applications unnecessarily store keys or secrets that could be abused to leak a variety of user credentials and other type of sensitive data, software security startup Fallible warns.

Some third-party applications unnecessarily store keys or secrets that could be abused to leak a variety of user credentials and other type of sensitive data, software security startup Fallible warns.

Using a tool designed to reverse engineer Android applications, Fallible discovered that many mobile applications contain hardcoded keys or secrets that should not be there in the first place.

These keys can leak data related to some of the most popular online services, including Twitter, Flickr, Dropbox, Slack, and Uber, as well as Amazon AWS (Amazon Web Services) data, which could be incredibly damaging to both users and affected companies. Although the percentage of insecure apps is small, their existence is still worrisome, researchers say.

The tool used to reverse-engineer Android apps and discover secrets stored in them is accessible online and has been used to analyze around 16,000 apps since its initial launch in November 2016. While most of the apps didn’t have any sort of key or secret in them, 2,500 were found to actually pack hardcoded keys or secrets pertaining to a third-party service.

“Some keys are harmless and are required to be there in the app for example Google’s API key but there were lots of API secrets as well which definitely shouldn’t have been in the apps,” Fallible reveals. 304 such applications were filtered out in the end.

The issue is that secrets that are unnecessarily stored in these apps can leak a great deal of sensitive information, Abhishek Anand, Fallible co-founder, told SecurityWeek.

“The type of secret leaks we found in Android apps ranged from AWS credentials some with full access which could be used to shutdown services and lead to data leak and destruction, API secrets of various services like Uber, Twitter, Dropbox, Instagram and Stripe secret key, SMTP server credentials, MySQL/RDS/Mongo credentials along with connection string which in turn leads to user data leak and more,” he said.

One of the analyzed applications, pertaining to a transportation startup, was found to be leaking a key that could be used to access data for all customers. The affected data included support emails and chats, phone numbers, personal details and more.

Advertisement. Scroll to continue reading.

“The API keys could be used to disrupt services by using up predefined quotas at the 3rd party service providers and in some cases even leak data stored with them. Some of the keys even made no sense in being kept on the client side, but were exposed along with other keys in a single file,” Anand said.

According to Fallible, 102 of the third-party apps containing unnecessarily hardcoded keys and secrets impact Twitter, while 59 of them impact Urban Airship. Amazon AWS landed on the third position with 10 leaky apps (some of these apps had full privilege of creating/deleting instances), followed by Wootric and Instagram with 8 apps each, and Tapjoy with 7 apps.

According to Fallible, application developers should always carefully consider whether they need to hardcode an API key/token in their app each and every time they do so. They also encourage developers to make sure they understand the API usage and to read/write scope of the tokens before putting them in the apps.

“Any mention of secret credentials in client side code is generally a bad idea since the user can almost always find [them] out no matter how obfuscated [they are],” Anand also told us.

Third-party services are advised to clearly warn/instruct the developers not to put these secrets in their apps, as well as to create multiple API secrets with different scopes if required.

Related: Majority of Top Android Apps Easily Reverse Engineered: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.