Secret tokens found hard-coded in hundreds of Android apps
January 23, 2017
A security research firm has found hundreds of Android apps that are leaking sensitive secret keys and tokens, which could be used and abused by hackers.
Fallible, a Delaware-based security firm, spent the past few months reverse engineering thousands of apps to discover security issues, such as leaky secret keys. These keys often belong to third-party services to help app integration, but if leaked, they could be used to manipulate or abuse the services.
The company posted its results over the weekend.While most of the 16,000 apps they examined didn’t leak any keys, a little over 300 appscontained easily-found, hard-coded keys for services like Dropbox, Twitter, andSlack.
A single token leak could lead to data exposure. Just last year, another security firm found over 1,500 tokens for Slack used by large enterprises, including internet companies and healthcare providers.
Fallible also confirmed it found 10 instances where Amazon Web Service secret keys were hard-coded in the apps.
Some of them had full privilege of creating deleting instances,In some cases, the hard-coded secrets could allow an attacker to steal or delete data.
Recently found a unicorn transportation startup using Zendesk leaking its API secret and which can be used to leak user data for all its customers including support emails and chats, phone numbers, personal details and more.In other cases,it “made no sense” to keep certain secret keys in the app, such as database and mail credentials.
The advice is simple enough: Think twice before using hard-coded keys.Understand the API usage and the read-write scope of the tokens before putting it in the apps.