"Thousands of Android Apps Leak Hard-coded Secrets, Research Shows"
Thousands of Android apps contain hard-coded secrets, meaning that a malicious actor, even if they are not a highly skilled one, could gain access to Application Programming Interface (API) keys, Google Storage buckets, unprotected databases, and other sensitive information. According to Cybernews researchers, more than half of the 30,000 investigated apps are leaking secrets that could have significant consequences for both app developers and their customers. It is not a good idea to hardcode sensitive data into the client-side of an Android app as it can be easily accessed in most cases through reverse engineering. Following a month-long investigation, the researchers discovered that a large amount of data can be analyzed in a matter of weeks using "mediocre infrastructure." A persistent threat actor with more sophisticated tools could extract more secrets in less time and use them for malicious purposes. The study revealed that 55.94 percent (18,647) of the apps reviewed had hard-coded secrets, such as different API keys and links to open databases that exposed sensitive corporate and user data. The researchers identified over 124,000 strings as potentially leaking sensitive data. Apps with the most hard-coded secrets fall into five categories: health and fitness, education, tools, lifestyle, and business. This article continues to discuss findings from Cybernews researchers' discovery of thousands of Android apps leaking hard-coded secrets.
Cybernews reports "Thousands of Android Apps Leak Hard-coded Secrets"