Thousands of Android apps have built-in crypto keys and passwords
A large number of free Android apps suffer with flaky security because software developers are leaving cryptographic keys embedded and passwords hard-coded.
Speaking at the BSides security conference in San Francisco, software vulnerability analyst Will Dormann revealed how he had found serious security problems in thousands upon thousands of apps. After testing 1.8 million apps, he found almost 20,000 featured built-in passwords and keys, and even when a separate password store was used, user data was still open to attack from simple password crackers.
- Is your smartphone lying to you about having the latest Android security updates?
- Privacy: Facebook has been collecting call and text data from Android users
- Have I Been Pwned teams up with 1Password to improve post-security breach advice
- Security issues in gay dating app Grindr exposed users' locations
Dormann works at the CERT Coordination Center (CERT/CC), and focused on the free tools that more people are likely to use, He found that while it was surprisingly common to find that keys, codes and passwords were embedded in apps -- either through laziness or because that's how particular SDKs work -- some apps were better at hiding what was happening than others.
One development tool -- Appinventor -- was found to hardcode privacy keys in apps, although this is something that has been addressed in an update.
Dormann also highlighted the laziness of users in selecting passwords, cracking them with simple, freely available tools. He used brute force password crackers Jack the Ripper and Hashcat to successfully gather a large number of passwords from Java and Bouncy Castle key stores, noting to the Register that such crackers were good at picking up on and exploiting common password-creating traits:
Hashcat is much better at this. Not only does it recognize the human habit of capitalizing the first letter, it can also checks for exclamation points at the end of a password and also four digits, because a lot of people add dates.