Devs reverse-engineer 16,000 Android apps, find secrets and keys to AWS accounts

A security firm has reverse engineered 16,000 Android apps on Google’s Play store and found that over 304 contain sensitive secret keys.

The huge deconstruction effort was made through Delaware-based Fallible which sent the popular applications through its automated code analysis tool*.

The researchers did not name the apps they examined but say they worked with Google’s lists of the most popular apps.

Some 2500 apps contained either secrets or third party keys, with most such as those found in Uber’s app being safe and necessary for the platforms to function on Google play or with other services.

Others contained Amazon Web Services keys that granted extensive access to accounts.

“Some keys are harmless and are required to be there in the app for example Google’s API key but there were lots of API secrets as well which definitely shouldn’t have been in the apps,” researchers at the company say.

“Then there were AWS secrets too hardcoded in the apps. Some of them had full privilege of creating and deleting instances.”

Twitter keys were the most common to be found in the studied apps, along with Urban Airship and a scattering of other services.

“For app developers reading this, whenever you hardcode any API key or token into your app, think hard if you really need to hardcode this, [and] understand the API usage and the read and write scope of the tokens,” Fallible researchers say.

“For third party services, clearly warn and instruct the developers to not to put these secrets in the apps [and] create multiple API secrets with different scopes if required.”

*Fallible’s site was offline but cached at the time of writing.

Sponsored:
Customer Identity and Access Management

via The Register http://bit.ly/2jjwTad

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s