Security warning over popular mobile apps with hard-coded credentials

Millions of mobile apps leave cloud credentials unencrypted in code for anyone to exploit

Image:

Symantec researchers have warned of vulnerabilities in popular apps

Millions of Android and iOS mobile apps exposed to wide-ranging security risks due to hard-coded and unencrypted cloud service credentials within their codebases.

Popular apps with millions of downloads are vulnerable to hardcoded and unencrypted cloud service credentials, according to software engineer Yuanjing Guo and senior principal software engineer Tommy Dong, both researchers at Symantec.

“Several widely-used apps have been found to contain hardcoded and unencrypted cloud service credentials within their codebases. This dangerous practice means that anyone with access to the app's binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to severe security breaches,” they warn.

The researchers examined in-depth a number of popular apps; including Collage Maker, which has more than five million downloads on Google Play; Crumbl, with 3.9 million iOS downloads; Eureka, with more than half-a-million downloads on Google Play; and Videoshop, a video editor with more than 10 million downloads on Google Play.

“In all of these example apps, hardcoded credentials are used to authenticate with various AWS services, such as S3 buckets for storage and IoT data management.

“This common practice of embedding sensitive information like AWS keys directly within the code, without any form of encryption or protection, poses a severe risk. Attackers who gain access to these credentials could exploit them to compromise the app's backend infrastructure, steal user data, or cause service disruptions,” they write.

Many apps examined by the researchers also contain similar security flaws exposing Azure Blob Storage accounts to unauthorized access, putting both user data and backend resources at risk.

“Anyone with access to the app's binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to severe security breaches. This repeated pattern of insecure credential management across multiple apps highlights the critical need for developers to adopt more secure practices.”

The researchers make a number of recommendations for users, including installing a mobile security app – unsurprisingly, they recommend Symantec Endpoint Protection; only installing apps from trusted sources (although that doesn’t help in the highlighted instances as all the insecure apps are available from either Google Play or the iOS App Store; and paying close attention to the permissions that apps request.