Wednesday, May 7, 2025
HomeCloudHardcoded Creds in Popular Apps Put Millions of Android and iOS Users...

Hardcoded Creds in Popular Apps Put Millions of Android and iOS Users at Risk

Published on

SIEM as a Service

Follow Us on Google News

Recent analysis has revealed a concerning trend in mobile app security: Many popular apps store hardcoded and unencrypted cloud service credentials directly within their codebases. 

It poses a significant security risk as anyone accessing the app’s binary or source code could extract and misuse these credentials to manipulate or exfiltrate data. 

Examples include Pic Stitch, the Collage Maker app on Android, and several popular iOS apps, such as Crumbl, Eureka, and Videoshop.

- Advertisement - Google News

These apps contain embedded AWS credentials, highlighting the need for developers to adopt more secure credential management practices to protect user data and backend services.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

Pic Stitch upload file code
Pic Stitch upload file code

Both Crumbl and Eureka mobile apps were found to contain security vulnerabilities, where Crumbl’s code initializes an AWSStaticCredentialsProvider with hardcoded, plain-text AWS credentials (access key and secret key), which are used to configure AWS services, leaving them exposed. 

A WSS endpoint URL is included directly within the code, which attackers can exploit. Similarly, the Eureka app hardcodes AWS credentials within its code for logging events to AWS, exposing critical cloud resources.  

Eureka IDA code with hardcoded AWS credentials
Eureka IDA code with hardcoded AWS credentials

Videoshop and other mobile apps embed unencrypted AWS and Azure credentials directly in their code, exposing them to attackers who can extract them from the app’s binary. 

Hardcoded credentials can lead to unauthorized access to cloud storage buckets, data theft, and service disruptions, posing a significant security risk. Encrypting or securely storing credentials can avoid this.

Example apps on Google Play Store page with hardcoded Azure credentials
Example apps on Google Play Store page with hardcoded Azure credentials

The Sulekha Business and ReSound Tinnitus Relief apps contain hardcoded Azure credentials within their codebases, which are used for accessing Azure Blob Storage and are exposed in plain text, posing a significant security risk. 

Disclosure of these credentials could result in unauthorized access and data breaches, which could potentially impact user data and backend responsibilities. 

This pattern of insecure credential management highlights the urgent need for developers to adopt more secure practices, such as using environment variables or secrets management solutions to store sensitive credentials.

Sulekha Business Jadx code with hardcoded Azure credentials
Sulekha Business Jadx code with hardcoded Azure credentials

Hardcoded and unencrypted cloud service credentials in mobile apps pose serious security risks, exposing critical infrastructure to potential attacks, which are prevalent across both iOS and Android platforms, necessitating a shift towards more secure development practices. 

To mitigate these risks, developers should utilize environment variables, implement secrets management tools, encrypt sensitive data, conduct regular code reviews and audits, and automate security scanning. 

According to Symantec, developers can adopt these best practices to significantly reduce the risk of exposing sensitive information and ensure the security of their mobile applications.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

NSO Group Ordered to Pay $168 Million to WhatsApp in US Spyware Verdict

A federal jury in California has ordered Israeli spyware maker NSO Group to pay...

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

NSO Group Ordered to Pay $168 Million to WhatsApp in US Spyware Verdict

A federal jury in California has ordered Israeli spyware maker NSO Group to pay...

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...