Article Details

Millions of Android and iOS users at risk from hardcoded creds in popular apps. Azure Blob Storage, AWS, and Twilio keys all up for grabs. An analysis of widely used mobile apps offered on Google Play and the Apple App Store has found hardcoded and unencrypted cloud service credentials, exposing millions of users to major security problems. The problem stems from lazy coding, according to Yuanjing Guo and Tommy Dong, a pair of software engineers at Symantec's Security Technology and Response. The duo warn that leaving creds in code means anyone with access to the app's binary or source code could gain access to backend infrastructure and potentially exfiltrate user data. "This practice exposes critical infrastructure to potential attacks, endangering user data and backend services," Symantec's researchers warned. "The widespread nature of these vulnerabilities across both iOS and Android platforms underscores the urgent need for a shift towards more secure development practices," they added. These are the apps in which Symantec spotted creds, but there may well be more: Symantec recommends users install a third-party security system to block any of the consequences of these coding errors, and – surprise, surprise – it has one for the purpose. Users should also be very wary of whatever permissions their apps ask for and only install apps from trusted sources. Or developers could just write better code and uses services like AWS Secrets Manager or Azure Key Vault that are designed to keep sensitive information in a safe place. Symantec's researchers also recommend encrypting everything and conducting regular code reviews and security scanning.