Two years ago, there was a growing chorus of voices expressing concern about private API keys finding their way into the public domain thanks in part to careless pushing of code to services like GitHub. Now this problem has spread to mobile apps. The guys over at Hackernoon explain.
They built a Web-based tool to scan Android apps for security vulnerabilities. In just over two months, users of the tool reverse engineered over 16k apps and found third party API secrets/keys baked into just over 2.5k of them.
Most of these hard-coded secrets/keys are relatively harmless. But the team discovered over 300 where sensitive information was being revealed that could cause real damage in the wrong hands. One app, for example, revealed an Uber secret with which a developer could send in-app notifications via the Uber app. Even worse, another contained an AWS secret with which a hacker could create and destroy server instances.
Twitter was the most common third party service whose secrets were revealed. The social media giant’s secrets were found in 102 apps.