- Security researchers from Cybernews found thousands of iOS apps with hardcoded secrets
- The secrets could be used in data leakage or wire fraud
- The majority of the secrets can be disregarded as low-sensitivity
Researchers from the Cybernews team have found evidence to suggest that thousands of App Store applications have left hardcoded secrets in their code, which has resulted in user’s sensitive information being exposed to cybercriminals.
The researchers analyzed more than 156,000 iOS apps and discovered more than 815,000 hardcoded secrets, thousands of which were “very sensitive and could lead directly to breaches or data leaks.”
A “secret” is a broad term, and includes things like API keys, passwords, or encryption keys. Being “hardcoded” means that the developers add these things directly in the source code. The general consensus is that they do it since it’s convenient in production, and often just forget to remove the secrets once the app goes live.
Cloud info, API keys, Stripe data
The average app’s code exposes 5.2 secrets, and 71% of apps leak at least one secret, Cybernews reported.
The majority of these secrets can be disregarded, they explained, since they can’t be used in criminal attacks. However, they found almost 83,000 hardcoded cloud storage endpoints, 836 of which do not require authentication and could leak more than 400TB of data. They also found 51,000 Firebase endpoints, “thousands” of which are open to outsiders, as well as thousands of exposed keys for Fabric API, Live Branch, MobApp Cretor, and others.
The biggest problem, though, were Stripe secret keys, which directly control financial transactions. “Stripe is widely used by e-commerce and even fintech companies to handle online payments,” Cybernews explained, before stating that its team found 19 Stripe secret keys.
“Many people believe that iOS apps are more secure and less likely to contain malware. However, our research shows that many apps in the ecosystem contain easily accessible hardcoded credentials. We followed the trail and found open databases with personal data and accessible infrastructure,” Aras Nazarovas, a security researcher at Cybernews, said.
“Some iOS developers just make it too easy for hackers.”
We have reached out to Apple for comment and will update the article when we hear back.
Via Cybernews
