Thousands of Android Apps Leak Hard-Coded Secrets

New research by Cybernews shows that thousands of apps have hard-coded secrets. This means that a malicious actor (and not necessarily a very skilled one) could gain access to API keys, Google Storage buckets, and unprotected databases and eventually exploit that information for their benefit simply by analyzing publicly available information about apps.

Hardcoding “secrets” like API keys inside apps is a really bad idea, but apparently, lots of developers do it.

Researchers with minimal infrastructure and only 30 days examined over 30,000 apps. They found over 55% had hard coded secrets. Secrets include API keys and unprotected datasets, along with open storage buckets.

Obviously, this should be an immediate concern to any manager who is either developing an app internally or paying a third party to develop an app.

But, in addition to this, consider apps that you use and store sensitive data in. While it is harder for you to verify that there are no hard coded secrets, it is not impossible and you can start by discussing the vendor’s secure software development practices with them.

Finally, while this study discussed Android apps (because they are the easiest to examine), it is likely that iPhone apps, Windows apps and Mac apps exhibit similar issues.

For more information check out the Cybernews report.

For help analyzing the security risks of apps you are developing or using, please contact us.