Hardcoded Creds in Popular Apps Put Millions of Android and iOS Users at Risk

Recent analysis has revealed a concerning trend in mobile app security: Many popular apps store hardcoded and unencrypted cloud service credentials directly within their codebases. 

It poses a significant security risk as anyone accessing the app’s binary or source code could extract and misuse these credentials to manipulate or exfiltrate data. 

Examples include Pic Stitch, the Collage Maker app on Android, and several popular iOS apps, such as Crumbl, Eureka, and Videoshop.

These apps contain embedded AWS credentials, highlighting the need for developers to adopt more secure credential management practices to protect user data and backend services.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

Both Crumbl and Eureka mobile apps were found to contain security vulnerabilities, where Crumbl’s code initializes an AWSStaticCredentialsProvider with hardcoded, plain-text AWS credentials (access key and secret key), which are used to configure AWS services, leaving them exposed. 

A WSS endpoint URL is included directly within the code, which attackers can exploit. Similarly, the Eureka app hardcodes AWS credentials within its code for logging events to AWS, exposing critical cloud resources.  

Videoshop and other mobile apps embed unencrypted AWS and Azure credentials directly in their code, exposing them to attackers who can extract them from the app’s binary. 

Hardcoded credentials can lead to unauthorized access to cloud storage buckets, data theft, and service disruptions, posing a significant security risk. Encrypting or securely storing credentials can avoid this.

The Sulekha Business and ReSound Tinnitus Relief apps contain hardcoded Azure credentials within their codebases, which are used for accessing Azure Blob Storage and are exposed in plain text, posing a significant security risk. 

Disclosure of these credentials could result in unauthorized access and data breaches, which could potentially impact user data and backend responsibilities. 

This pattern of insecure credential management highlights the urgent need for developers to adopt more secure practices, such as using environment variables or secrets management solutions to store sensitive credentials.

Hardcoded and unencrypted cloud service credentials in mobile apps pose serious security risks, exposing critical infrastructure to potential attacks, which are prevalent across both iOS and Android platforms, necessitating a shift towards more secure development practices. 

To mitigate these risks, developers should utilize environment variables, implement secrets management tools, encrypt sensitive data, conduct regular code reviews and audits, and automate security scanning. 

According to Symantec, developers can adopt these best practices to significantly reduce the risk of exposing sensitive information and ensure the security of their mobile applications.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!