A security firm has reverse engineered 16,000 Android apps on Google’s Play store and found that over 304 contain sensitive secret keys.
The huge deconstruction effort was made through Delaware-based Fallible which sent the popular applications through its automated code analysis tool*.
The researchers did not name the apps they examined but say they worked with Google’s lists of the most popular apps.
Some 2500 apps contained either secrets or third party keys, with most such as those found in Uber’s app being safe and necessary for the platforms to function on Google play or with other services.
Others contained Amazon Web Services keys that granted extensive access to accounts.
“Some keys are harmless and are required to be there in the app for example Google’s API key but there were lots of API secrets as well which definitely shouldn’t have been in the apps,” researchers at the company say.
“Then there were AWS secrets too hardcoded in the apps. Some of them had full privilege of creating and deleting instances.”
Twitter keys were the most common to be found in the studied apps, along with Urban Airship and a scattering of other services.
“For app developers reading this, whenever you hardcode any API key or token into your app, think hard if you really need to hardcode this, [and] understand the API usage and the read and write scope of the tokens,” Fallible researchers say.
“For third party services, clearly warn and instruct the developers to not to put these secrets in the apps [and] create multiple API secrets with different scopes if required.”
*Fallible’s site was offline but cached at the time of writing.
Customer Identity and Access Management
via The Register http://bit.ly/2jjwTad