Millions of Android and iOS users at risk from hardcoded creds in popular apps

An analysis of widely used mobile apps offered on Google Play and the Apple App Store has found hardcoded and unencrypted cloud service credentials, exposing millions of users to major security problems.

The problem stems from lazy coding, according to Yuanjing Guo and Tommy Dong, a pair of software engineers at Symantec's Security Technology and Response. The duo warn that leaving creds in code means anyone with access to the app's binary or source code could gain access to backend infrastructure and potentially exfiltrate user data.

"This practice exposes critical infrastructure to potential attacks, endangering user data and backend services," Symantec's researchers warned. "The widespread nature of these vulnerabilities across both iOS and Android platforms underscores the urgent need for a shift towards more secure development practices," they added.

• Critical hardcoded SolarWinds credential now exploited in the wild
• Police allege 'evil twin' of in-flight Wi-Fi used to steal passenger's credentials
• US contractor pays $300K to settle accusation it didn't properly look after Medicare users' data

These are the apps in which Symantec spotted creds, but there may well be more:

• The Pic Stitch – Over five million people have rated this collage-editing app for Android and unfortunately it contains hardcoded AWS credentials which would allow an attacker to harvest production credentials, including a linked Amazon S3 bucket name, the read and write access keys, and secret keys.
• Crumbl – This iOS app helps users to source sugary treats but also exposes the developers' AWS plain-text credentials, including an access key and secret key. "Furthermore, the inclusion of a WebSocket Secure (WSS) endpoint within the code – wss://***.iot.us-west-2.amazonaws.com – highlights a significant security oversight," the researchers warn.
• Eureka – This survey taking app, rated by nearly 500,000 Apple and Android users, has hardcoded AWS credentials directly in the app and the access and secret keys stored in plain text.
• Videoshop – The code of this video editor includes unencrypted AWS credentials that would allow someone with the binary to steal data, access backend infrastructure and potentially bring it down. Nearly 400,000 people have rated this app.
• Meru Cabs – This Indian taxi-hailing app, used by around five million people, has hardcoded Azure credentials available that would allow access to cloud storage setups.
• Sulekha Business – The networking and lead generating app has around half a million users and makes much of its security on its website. However, Symantec's analysis shows it has more than one hardcoded Azure credential available for attackers and uses plain-text connection strings to access Azure Blob Storage containers.
• ReSound Tinnitus Relief – This sound therapy app, with around 500,000 users, is not exactly music to a security specialist's ears, since it too embeds its Azure Blob Storage credentials in a way that's easy to spot. So does the Beltone Tinnitus Calmer app on Android, which has around 100,000 users.
• EatSleepRIDE Motorcycle GPS – This forum app contains hardcoded Twilio credentials, putting its estimated 100,000 users at risk.

Symantec recommends users install a third-party security system to block any of the consequences of these coding errors, and – surprise, surprise – it has one for the purpose. Users should also be very wary of whatever permissions their apps ask for and only install apps from trusted sources.

Or developers could just write better code and use services like AWS Secrets Manager or Azure Key Vault that are designed to keep sensitive information in a safe place. Symantec's researchers also recommend encrypting everything and conducting regular code reviews and security scanning. ®