A new research study by a security firm has outed hundreds of Android apps for having hard-coded secret API keys and access tokens, potentially exposing them to security breaches.
Secret API keys and access tokens are used by mobile app developers for authenticating app requests and for accessing third-party web utilities like Amazon Web Services (AWS). Not quite the same but think of them as real complex passwords.
Using a special online tool they created, the Delaware-based security firm, Fallible, has analyzed and reverse engineered about 16,000 Android apps for its study and found that while a majority of the apps did not have any exposable secret keys or tokens, about 2,500 of them have either a secret key or a key for a third party service hard-coded within them.
Fallible stated in a blog post that most of the keys pose no danger and are actually required for the apps to work properly (for example, Google’s API keys for the Play Store) but they found 304 apps that can leak their secret API keys for services like Twitter, Dropbox, Instagram, AWS, and Slack.
If exposed and abused, these keys can be utilized for unauthorized access to sensitive data and can even lead to a massive data breach.
In fact, Fallible stated in its blog post that it found 10 AWS hard-coded secret keys that had “full privilege of creating and deleting instances.” Abusing these keys for unauthorized access to instances can lead to data loss and theft, system shutdowns and costly downtimes.
To stress how sensitive these access tokens are, just last year, more than 1,500 Slack access tokens of hundreds of companies, including schools, health care providers, and ISPs, were found in public projects in GitHub. Security researchers managed to gain access to these companies’ Slack chat logs and found a trove of sensitive information such as database credentials, passwords, private messages and logins to other services.
Fallible advises app developers to refrain from hard-coding any API secret key or tokens in their apps unless they want to put users and third-party services in danger.
“For app developers reading this, whenever you hardcode any API key/token in the app, think hard if you really need to hardcode this, understand the API usage and the read/write scope of the tokens before putting it in the apps,” Fallible writes in its post.
Third-party services, too, should instruct developers not to put these sensitive API keys within their apps. It is advised that “multiple API secrets with different scopes” are generated.
To use the special online tool Fallible created for the study, go to this site. You can search for any app and detect if it’s leaking secret API keys and tokens.
To read Fallible’s blog post and the number of secret API keys that Android apps are leaking, click here.