Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Twilio Credentials Hardcoded in Mobile Apps Expose Calls, Texts

Hundreds of mobile applications that use the Twilio SDK or REST API include hardcoded credentials that could be abused to access millions of calls and text messages, researchers warned on Thursday.

Hundreds of mobile applications that use the Twilio SDK or REST API include hardcoded credentials that could be abused to access millions of calls and text messages, researchers warned on Thursday.

Appthority’s Mobile Threat Team has analyzed more than 1,100 iOS and Android applications that use Twilio, a cloud communications platform designed for developing voice and messaging apps.

Twilio’s documentation provides guidance on best security practices, but researchers found that 686 apps from 85 developers exposed Twilio account IDs and access tokens (i.e. passwords). Roughly one-third of the applications containing hardcoded Twilio credentials are business-related, and the ones designed for Android have been downloaded between 40 and 180 million times.

The affected apps, more than 170 of which are still available on Google Play and the Apple App Store, include software used for secure communications by a federal law enforcement agency, one that allows sales teams to record audio and annotate discussions in real-time, and navigation apps for AT&T and US Cellular customers.

Researchers estimated that by extracting the Twilio account credentials from the source code of these apps, malicious actors could have gained access to hundreds of millions of call records, calls and call audio recordings, and SMS and MMS messages. North America, the U.K. and Australia are the most affected regions.

The vulnerability, which Appthority has dubbed “Eavesdropper,” was discovered in April and Twilio was notified in July. The service provider has been working with the developers of the impacted apps to address the issue.

However, researchers pointed out that the only way for developers to properly address the problem is to get their users to install an updated version of their app that does not include hardcoded credentials and change their Twilio account tokens.

Hardcoded credentials can pose a serious risk, not just for apps that use Twilio. Appthority warned that roughly 40% of the analyzed applications also expose Amazon S3 credentials.

Researchers have found credentials for more than 2,000 Amazon accounts in the analyzed apps. A closer analysis showed that roughly 900 of the accounts are still active and they provide access to nearly 22,000 S3 buckets, including ones that store potentially sensitive information.

“Eavesdropper poses a serious enterprise data threat because it allows an attacker to access confidential company information, which may include a range of sensitive information often shared in an enterprise environment, such as negotiations, pricing discussions, recruiting calls, product and technology disclosures, health diagnoses, market data or M&A planning,” warned Seth Hardy, Appthority Director of Security Research. “An attacker could convert recorded audio files to text and search a massive data set for keywords and find valuable data.”

Earlier this year, Appthority reported that more than 1,000 iOS and Android applications installed on enterprise mobile devices had been exposing sensitive data via backend systems.

Related: Enterprises Blacklist iOS Apps Due to Data Leakage

Related: Many Mobile Apps Unnecessarily Leak Hardcoded Keys

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.