Did Someone Tell You iPhones Are Secure? Not Really!

Hard coded secrets are things like passwords and API keys that are hard coded into “apps” for anyone to find. Generally considered a bad thing. 🙂

Cybernews researched more than 150,000 iOS apps and found more than 815,000 secrets.

This includes thousands that are sensitive. Secrets that could lead to breaches. Now that this information is public, the risk just went up.

The “average” app leaked 5.2 secrets and 71 percent of the apps examined leaked at least one secret.

While many of these secrets are low risk, many are not. The databases they give hackers access to contain personal information and allowed access to sensitive infrastructure.

Among the secrets NOT protected were:

• Almost 83,000 hardcoded Cloud storage endpoints, 836 of which do not require authentication, leaking 406TB of data.
• Over 51,000 Firebase endpoints, thousands open to outsiders.
• Thousands of keys exposed for Fabric API, Live Branch, MobApp Creator, and others.
• Hundreds of the most sensitive keys can be abused to issue payments and refunds and obtain private data and communications.

The researchers scanned less than 10 percent of the apps in the iStore and didn’t even try to de-obfuscate code was was scrambled, so this is really the tip of the iceberg.

Here is a chart of just the top 20 categories of secrets they found exposed.

While Apple can try to make the iPhone itself secure, they really don’t have a lot of control over the app developers.

If this makes you nervous, it should. If it makes you think you may need assistance, please contact us.

Credit: Cybernews

by