Thousands of Android apps have built-in crypto keys and passwords

No Comments

Red and blue security padlock

A large number of free Android apps suffer with flaky security because software developers are leaving cryptographic keys embedded and passwords hard-coded.

Speaking at the BSides security conference in San Francisco, software vulnerability analyst Will Dormann revealed how he had found serious security problems in thousands upon thousands of apps. After testing 1.8 million apps, he found almost 20,000 featured built-in passwords and keys, and even when a separate password store was used, user data was still open to attack from simple password crackers.

See also:

Dormann works at the CERT Coordination Center (CERT/CC), and focused on the free tools that more people are likely to use, He found that while it was surprisingly common to find that keys, codes and passwords were embedded in apps -- either through laziness or because that's how particular SDKs work -- some apps were better at hiding what was happening than others.

One development tool -- Appinventor -- was found to hardcode privacy keys in apps, although this is something that has been addressed in an update.

Dormann also highlighted the laziness of users in selecting passwords, cracking them with simple, freely available tools. He used brute force password crackers Jack the Ripper and Hashcat to successfully gather a large number of passwords from Java and Bouncy Castle key stores, noting to the Register that such crackers were good at picking up on and exploiting common password-creating traits:

Hashcat is much better at this. Not only does it recognize the human habit of capitalizing the first letter, it can also checks for exclamation points at the end of a password and also four digits, because a lot of people add dates.

Image credit: deepadesigns / Shutterstock

No Comments
Got News? Contact Us

Recent Headlines

Weibo reverses homosexuality policy in China: 'We're no longer targeting gay content'

A quarter of organizations have had data stolen from the public cloud

ESET launches new enterprise security solutions

Thousands of Android apps have built-in crypto keys and passwords

Large scale data breaches provide drive for DevSecOps investments

Linus Torvalds says Linux kernel v5.0 'should be meaningless'

UK sets out five principles for the ethical use of AI

Most Commented Stories

Microsoft discovers blocking bug and delays the release of Windows 10 Spring Creators Update

138 Comments

It looks like there will be a new RTM build of Windows 10 as build 17134 is discovered

47 Comments

File Manager for Windows 10 is now available as Microsoft open sources winfile code

28 Comments

Is your smartphone lying to you about having the latest Android security updates?

26 Comments

The space race is over and SpaceX won

25 Comments

© 1998-2018 BetaNews, Inc. All Rights Reserved. Privacy Policy.