A cyber security company has initiated a large study on mobile applications security and identified that hundreds of Android apps contain sensitive access tokens.
Secret Access Tokens Contained in a Lot of Android Apps
A very serious issue has been identified in the Android applications ecosystem. According to a new in-depth study performed by the cyber security company Fallible that encompasses 16 000 mobile applications running Google’s operating system, 2500 of them have a hardcoded access token embedded in them. The survey was performed using an online tool released by them in November.
Access keys for third-party services were only some of the problem areas which were reported by the vendor. In some cases the developers have also included keys and access tokens that unlock access to private data or systems. Some of them included access to popular apps and services such as Flickr, Twitter, Dropbox, Instagram, Slack and Amazon Web Services. Most of the apps contained tokens to Twitter. Here is an excerpt of some of the popular services and the number of apps that leak the private keys:
- Twitter – 102
- Urban Airship – 59
- Flickr – 5
- Wootric – 8
- WeeChat – 4
- Dropbox – 5
- Instagram – 8
- Tap Joy – 7
- Slack – 1
- LinkedIn – 4
- Amazon AWS – 10
- Uber -4
The identified slack tokens can also provide access to chat logs which are used by the programmers. Such data can contain additional account credentials that give access to platforms, internal services, databases and various files and documents. Last year a similar study initiated by the security company Detectify identified 1500 such tokens hosted on GitHub projects.
The experts suggest the following:
For app developers reading this, whenever you hardcode any API key/token in the app, think hard if you really need to hardcode this, understand the API usage and the read/write scope of the tokens before putting it in the apps.
For 3rd party services, clearly warn/instruct the developers to not to put these secrets in the apps. Create multiple API secrets with different scopes if required.
For more information you can access their blog post.