Thousands of Android apps leak hard-coded secrets

Android hazard sign

Thousands of Android apps have hard-coded secrets which means that a malicious actor -- and not necessarily a very skilled one -- could gain access to API keys, Google Storage buckets and unprotected databases and more.

Research from Cybernews shows that over half of 30,000 investigated apps are leaking secrets that could have huge repercussions for both app developers and their customers.

"Hardcoding sensitive data into client-side of an Android app is a bad idea. In most cases, it can be easily accessed through reverse-engineering," says Cybernews researcher Vincentas Baubonis.


Following a month-long investigation the researchers discovered that a great deal of data can be analyzed with what Baubonis calls, "mediocre infrastructure" in just a few weeks. A persistent threat actor with more advanced tools could extract more secrets in a shorter period and then use them for malicious purposes.

The study found 55.94 percent (18,647) of apps analyzed had hard-coded secrets, including different API keys and even links to open databases exposing sensitive corporate and user data. In total, researchers identified over 124,000 strings potentially leaking sensitive data. The most hard-coded secrets are found in apps within five categories: health and fitness, education, tools, lifestyle, and business.

The researchers also uncovered a logic flaw in Google Cloud services that allows apps to be downloaded direct from the Play Store without any warning that they may be malicious. However, storing the apps to Google Drive for transfer to another machine, then trying to download them from there prompts Google to warn about their potential dangers. Out of over 33,000 apps analyzed, researchers couldn't download 44 from Google Drive even though they didn't have any problems downloading them straight from the Play Store.

You can read more about the research and the data apps may be exposing on the Cybernews blog.


Comments are closed.

© 1998-2023 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.