Many third-party applications are unnecessarily storing keys or secrets which could be abused to leak a variety of user details and credentials and other kind of sensitive data, warns software security startup Fallible.
Reverse engineering tools are used to extract the data from these android applications, the data is in hardcoded keys or secrets which should not be there in the very first place.
All these keys can leak data related to some of the popular online services, including Flickr, Slack, Dropbox, Twitter, and Uber, as well as Amazon AWS data, which can be incredibly damaging to both the users and affected companies. Although the percentage of these insecure apps is very small, their existence is still something to worry, researchers say.
The tools used to reverse-engineer these Android apps and discover secrets stored in them are accessible online and have been used to analyse more than 16,000 apps since the initial launch in November 2016. In these tests, they found that most of these apps didn’t have any sort of key or secret present in them, about 2,500 were found to have pack hard coded keys or secrets pertaining to a third-party service.
“Some keys are harmless and are required to be there in the app, for example, Google’s API key but there were lots of API secrets as well which definitely shouldn’t have been in the apps,” reveals Fallible. 304 such applications are filtered out in the end.
“The type of secret leaks we found in Android apps ranged from AWS credentials some with full access which could be used to shutdown services and lead to data leak and destruction, API secrets of various services like Uber, Twitter, Dropbox, Instagram and Stripe secret key, SMTP server credentials, MySQL/RDS/Mongo credentials along with connection string which in turn leads to user data leak and more,” he Abhishek Anand, Fallible co-founder.