Thousands of Android and iOS apps leak hard-coded secrets

guest · Sep 3, 2022

By Ian Barker @IanDBarker - August 31, 2022

Thousands of Android apps have hard-coded secrets which means that a malicious actor -- and not necessarily a very skilled one -- could gain access to API keys, Google Storage buckets and unprotected databases and more.

Research from Cybernews shows that over half of 30,000 investigated apps are leaking secrets that could have huge repercussions for both app developers and their customers.

"Hardcoding sensitive data into client-side of an Android app is a bad idea. In most cases, it can be easily accessed through reverse-engineering," says Cybernews researcher Vincentas Baubonis.
Click to expand...

Following a month-long investigation the researchers discovered that a great deal of data can be analyzed with what Baubonis calls, "mediocre infrastructure" in just a few weeks. A persistent threat actor with more advanced tools could extract more secrets in a shorter period and then use them for malicious purposes.
Click to expand...

The study found 55.94 percent (18,647) of apps analyzed had hard-coded secrets, including different API keys and even links to open databases exposing sensitive corporate and user data. In total, researchers identified over 124,000 strings potentially leaking sensitive data. The most hard-coded secrets are found in apps within five categories: health and fitness, education, tools, lifestyle, and business.
Click to expand...

Cybernews: Thousands of Android apps leak hard-coded secrets, research shows

Over half of the 30,000 investigated Android Apps are leaking secrets that could have huge repercussions for both app developers and their customers.
Leaky apps
The research team investigated 42,799 applications from the Google Play Store and was able to download 33,334 of the initially identified apps, including approximately 6,000 most popular ones.
Open databases
After analyzing the data, researchers found over 14,000 Firebase URLs, and 606 were links to open Firebase instances.
Google’s logic flaw
It seems that users can download an app from the Play Store without getting any warning or notification that it might be malicious.
Click to expand...

Google storage buckets
Our research team also found 17,557 Google Cloud Storage (GCS) buckets – links to storages where anything from text files to images and videos can be stored.
Facebook problem
Cybernews researchers discover 109 Facebook Client tokens and 2151 Facebook App IDs. App IDs, coupled with client tokens, let you create an account within the app by using Facebook as an oAuth (open authorization) service, used to grant websites and applications access to user data without them having to share passwords.
Click to expand...

guest · Sep 3, 2022

Over 1,000 iOS apps found exposing hardcoded AWS credentials
By Bill Toulas @billtoula - September 1, 2022

Security researchers are raising the alarm about mobile app developers relying on insecure practices that expose Amazon Web Services (AWS) credentials, making the supply chain vulnerable.

Malicious actors could take advantage of this to access private databases, leading to data breaches and the exposure of customers' personal data.
Click to expand...

Scale of the problem
Researchers at Symantec’s Threat Hunting team, part of Broadcom Software, found 1,859 applications containing hard-coded AWS credentials, most of them being iOS apps and just 37 for Android.
Roughly 77% of those applications contained valid AWS access tokens that could be used for direct access to private cloud services.

Additionally, 874 applications contained valid AWS tokens that hackers can use for accessing cloud instances containing live-service databases that hold millions of records.
Click to expand...

Why is this happening?
The issue with hard-coded and “forgotten” cloud service credentials is basically a supply chain problem, as the negligence of an SDK developer can impact an entire collection of apps and services that rely on it.

As for developers hard-coding the credentials in their products, this is a matter of convenience during the development and testing process and skipping proper code review for security issues.
Click to expand...

Symantec: Mobile App Supply Chain Vulnerabilities Could Endanger Sensitive Business Information

Over three-quarters of the apps Symantec analyzed contained valid AWS access tokens that allowed access to private AWS cloud services.
Click to expand...

imdb · Oct 26, 2022

A massive cache of leaked data reveals the inner workings of a stalkerware operation that is spying on hundreds of thousands of people around the world, including Americans.

The leaked data includes call logs, text messages, granular location data and other personal device data of unsuspecting victims whose Android phones and tablets were compromised by a fleet of near-identical stalkerware apps, including TheTruthSpy, Copy9, MxSpy and others.

These Android apps are planted by someone with physical access to a person’s device and are designed to stay hidden on their home screens but will continuously and silently upload the phone’s contents without the owner’s knowledge.
Click to expand...

Inside TheTruthSpy, the stalkerware network spying on thousands by Zack Whittaker

Rasheed187 · Oct 28, 2022

imdb said: ↑

Inside TheTruthSpy, the stalkerware network spying on thousands by Zack Whittaker
Click to expand...

This is actually quite shocking that so many people are being spied on, via their smartphones. But from what I understood, most of these stalkerware apps have been installed by someone who had physical access to the device? Or did certain people install these apps by mistake? And can you even find these apps in the Google and Apple app store?

imdb · Oct 28, 2022

Rasheed187 said: ↑

But from what I understood, most of these stalkerware apps have been installed by someone who had physical access to the device? Or did certain people install these apps by mistake?
Click to expand...

imdb said: ↑

...These Android apps are planted by someone with physical access to a person’s device and are designed to stay hidden on their home screens but will continuously and silently upload the phone’s contents without the owner’s knowledge. ...
Click to expand...

Rasheed187 · Oct 29, 2022

@imdb

Yes I did read this, but I wonder how they came to this conclusion? Who says that these people weren't tricked into running these stalkerware apps? If these people had physical access to these devices, then I suppose they are parent or spouses that wanted to secretively monitor their kids and partners.

Which remains shocking of course, but at least they are not total strangers, now that would have been more scary. But it's of course also shocking that all this info is now leaked on the internet. Now that I think of it, I'm not sure if this is the right topic to have posted this. The original post is about something else, or perhaps I'm wrong.

Log in or Sign up

Thousands of Android and iOS apps leak hard-coded secrets

guest Guest

guest Guest

imdb Registered Member

Rasheed187 Registered Member

imdb Registered Member

Rasheed187 Registered Member

Log in or Sign up

Thousands of Android and iOS apps leak hard-coded secrets

guest Guest

guest Guest

imdb Registered Member

Rasheed187 Registered Member

imdb Registered Member

Rasheed187 Registered Member

Useful Searches