Some third-party applications unnecessarily store keys or secrets that could be abused to leak a variety of user credentials and other type of sensitive data, software security startup Fallible warns.
Using a tool designed to reverse engineer Android applications, Fallible discovered that many mobile applications contain hardcoded keys or secrets that should not be there in the first place.
These keys can leak data related to some of the most popular online services, including Twitter, Flickr, Dropbox, Slack, and Uber, as well as Amazon AWS (Amazon Web Services) data, which could be incredibly damaging to both users and affected companies. Although the percentage of insecure apps is small, their existence is still worrisome, researchers say.
The tool used to reverse-engineer Android apps and discover secrets stored in them is accessible online and has been used to analyze around 16,000 apps since its initial launch in November 2016. While most of the apps didn’t have any sort of key or secret in them, 2,500 were found to actually pack hardcoded keys or secrets pertaining to a third-party service.
“Some keys are harmless and are required to be there in the app for example Google’s API key but there were lots of API secrets as well which definitely shouldn’t have been in the apps,” Fallible reveals. 304 such applications were filtered out in the end.
The issue is that secrets that are unnecessarily stored in these apps can leak a great deal of sensitive information, Abhishek Anand, Fallible co-founder, told SecurityWeek.
“The type of secret leaks we found in Android apps ranged from AWS credentials some with full access which could be used to shutdown services and lead to data leak and destruction, API secrets of various services like Uber, Twitter, Dropbox, Instagram and Stripe secret key, SMTP server credentials, MySQL/RDS/Mongo credentials along with connection string which in turn leads to user data leak and more,” he said.
One of the analyzed applications, pertaining to a transportation startup, was found to be leaking a key that could be used to access data for all customers. The affected data included support emails and chats, phone numbers, personal details and more.
“The API keys could be used to disrupt services by using up predefined quotas at the 3rd party service providers and in some cases even leak data stored with them. Some of the keys even made no sense in being kept on the client side, but were exposed along with other keys in a single file,” Anand said.
According to Fallible, 102 of the third-party apps containing unnecessarily hardcoded keys and secrets impact Twitter, while 59 of them impact Urban Airship. Amazon AWS landed on the third position with 10 leaky apps (some of these apps had full privilege of creating/deleting instances), followed by Wootric and Instagram with 8 apps each, and Tapjoy with 7 apps.
According to Fallible, application developers should always carefully consider whether they need to hardcode an API key/token in their app each and every time they do so. They also encourage developers to make sure they understand the API usage and to read/write scope of the tokens before putting them in the apps.
“Any mention of secret credentials in client side code is generally a bad idea since the user can almost always find [them] out no matter how obfuscated [they are],” Anand also told us.
Third-party services are advised to clearly warn/instruct the developers not to put these secrets in their apps, as well as to create multiple API secrets with different scopes if required.