Fallible, an enterprise security firm, has found some hardcoded secret keys and tokens in hundreds of Android apps available on Play Store. The secret tokens found in the apps can be exploited to leak sensitive user data.
Most often tokens used in apps are used for third-party services integration with the app. However, they can be abused if leaked. Fallible spent last few months in reverse engineering apps in Play Store to discover security issues. The company even released its reverse engineering tool to help developers.
Fallible analysed over 16000 apps, of which 300 apps had easily found keys for popular services like Dropbox, Twitter and Slack. The security firm also found hard-coded tokens for AWS (Amazon Web Services) in some of the apps. Abusing the AWS tokens can lead to data leak and even shutdown of services.
The hardcoded keys in apps can lead to massive destruction. Developers need to think twice before hardcoding API key or token in the app. The read-write scope of the tokens need to be customised according to actual requirements before putting them into the app.
Apart from the security keys and tokens, Fallible talks about a leaked API secrets in a popular transportation startups that can leak user data of its customers. The data includes support emails, phone numbers, personal information and chats.
This is not the first time when some tokens have been spotted in Android apps. A report published last year had revealed the presence of over 1,500 tokens for Slack that were used by large enterprises.