Secret tokens found hard-coded in hundreds of Android apps

Share this…

In some cases, the hard-coded secrets could allow an attacker to steal or delete data.

A security research firm has found hundreds of Android apps that are leaking sensitive secret keys and tokens, which could be used and abused by hackers.

Fallible, a Delaware-based security firm, spent the past few months reverse engineering thousands of apps to discover security issues, such as leaky secret keys. These keys often belong to third-party services to help app integration, but if leaked could be used to manipulate or abuse the services.

The company posted its results over the weekend.

While most of the 16,000 apps they examined didn’t leak any keys, a little over 300 apps contained easily-found hard-coded keys for services like Dropbox, Twitter, and Slack.

A single token leak could lead to data exposure. Just last year, another security firm found over 1,500 tokens for Slack used by large enterprises, including internet companies and healthcare providers.

Fallible also confirmed it found ten instances where Amazon Web Service secret keys were hard-coded in the apps.

“Some of them had full privilege of creating [and] deleting instances,” said the blog post.

Many of the Silicon Valley startups and billion-dollar unicorns use Amazon Web Services to host their apps, content, and user data. Abhishek Anand, co-founder of Fallible, said in an email that abusing the keys could be used to “shutdown services and lead to data leak and destruction.”

That could lead to millions of dollars of downtime — if not worse.

“We recently found a unicorn transportation startup using Zendesk leaking its API secret and which can be used to leak user data for all its customers including support emails and chats, phone numbers, personal details and more,” said Anand, though he did not name the company.

In other cases, he said that it “made no sense” to keep certain secret keys in the app, such as database and mail credentials.

The advice is simple enough. Think twice before using hard-coded keys.

“Whenever you hardcode any API key [or] token in the app, think hard if you really need to hardcode this,” the blog post reads. “Understand the API usage and the read-write scope of the tokens before putting it in the apps.”