Exposing the Danger Within: Hardcoded Cloud Credentials in Popular Mobile Apps
Examining the hidden risks posed to user privacy and security due to presence of hardcoded credentials within popular mobile apps.
Mobile apps have become an essential part of our everyday lives, with millions of apps downloads on platforms like the Google Play Store and Apple App Store, a hidden threat has emerged that could put user data and backend services at significant risk.
Recent analysis has uncovered a troubling trend: several widely-used apps have been found to contain hardcoded and unencrypted cloud service credentials within their codebases. This dangerous practice means that anyone with access to the app's binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to severe security breaches.
In this blog, we will explore specific examples of these vulnerabilities, focusing on apps that have hardcoded Amazon Web Services (AWS) and Microsoft Azure Blob Storage credentials, and discuss best practices that developers should adopt to prevent such issues.
Hardcoded AWS Credentials in Mobile Apps
The Pic Stitch: Collage Maker app, with over 5 million downloads on the Google Play Store, has been found to contain hardcoded AWS credentials directly within its code, posing a significant security risk. The code snippet from Jadx (Figure. 1-3) reveals that the app uses the method loadAmazonCredential(boolean z) to load the appropriate credentials depending on the environment. If the boolean flag is set to true, the app loads the production credentials, including the production Amazon S3 bucket name, the read and write access keys, and secret keys. Conversely, if the flag is false, the app loads the corresponding staging credentials.
Similarly, the same type of insecure credential management has been uncovered in several popular iOS apps (Figure. 4), all of which have embedded hardcoded and unencrypted AWS credentials within their codebases. Three apps in particular—Crumbl, Eureka: Earn Money for Surveys, and Videoshop - Video Editor—exemplify this widespread problem.
Crumbl
With over 3.9 million ratings and ranked number 5 in the Food & Drink category on the Apple Store, Crumbl’s code (Figure. 5) initializes an AWSStaticCredentialsProvider with plain-text credentials, including an access key and secret key. These credentials are used to configure AWS services, leaving them exposed and vulnerable to misuse. Furthermore, the inclusion of a WebSocket Secure (WSS) endpoint within the code—"wss://***.iot.us-west-2.amazonaws.com"—highlights a significant security oversight. This endpoint, part of the Amazon API URL, is hardcoded with an API Gateway that directly connects to the IoT services on AWS. Exposing such URLs alongside static credentials makes it easier for attackers to potentially intercept or manipulate communications, leading to unauthorized access to the associated AWS resources. This configuration, without proper encryption or obfuscation, presents a serious risk to the integrity of the application and its backend infrastructure.
Eureka: Earn Money for Surveys
This app, with 402.1K ratings and ranked 61 in the Lifestyle category, hardcodes AWS credentials directly within its code. (Figure. 6) The app allocates an INMAWSCredentials object and initializes it with the access key and secret key, both stored in plain text. These credentials are used to log events to AWS, exposing critical cloud resources to potential attacks.
Videoshop - Video Editor
With 357.9K ratings, Videoshop directly embeds AWS credentials in the -[VSAppDelegate setupS3] method. (Figure. 7) These credentials are not encrypted, meaning anyone with access to the app's binary could easily extract them, gaining unauthorized access to the associated S3 buckets and potentially leading to data theft or manipulation.
In all of these example apps, hardcoded credentials are used to authenticate with various AWS services, such as S3 buckets for storage and IoT data management. This common practice of embedding sensitive information like AWS keys directly within the code, without any form of encryption or protection, poses a severe risk. Attackers who gain access to these credentials could exploit them to compromise the app's backend infrastructure, steal user data, or cause service disruptions.
Hardcoded Azure Credentials in Mobile Apps
A similar security issue has been identified in several popular Android apps (Figure. 8) that have hardcoded and unencrypted Microsoft Azure Blob Storage credentials within their source code. These credentials, embedded directly into the apps' binaries, pose significant risks to both the security and privacy of the apps' users.
Meru Cabs
With over 5 million downloads on the Google Play Store, Meru Cabs hardcoded Azure credentials within the UploadLogs service (Figure. 9), embedding a connection string that includes an account key. This connection string is used to manage log uploads, exposing critical cloud storage resources to potential abuse.
Sulekha Business
This app, with over 500K downloads, embeds multiple hardcoded Azure credentials across its codebase. (Figure. 10) These credentials are used for various purposes, such as adding posts, handling invoices, and storing user profiles. The use of plain-text connection strings to access Azure Blob Storage containers puts sensitive data at significant risk.
ReSound Tinnitus Relief
With over 500K downloads, ReSound Tinnitus Relief also hardcodes its Azure Blob Storage credentials. (Figure. 11) These credentials are used to manage various assets and sound files, and their exposure could lead to unauthorized access and data breaches.
These hardcoded credentials not only expose the Azure Blob Storage accounts to unauthorized access but also put user data and backend resources at risk. Anyone with access to the app's binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to severe security breaches. This repeated pattern of insecure credential management across multiple apps highlights the critical need for developers to adopt more secure practices.
Conclusion
The examples highlighted in this blog demonstrate the serious security risks posed by hardcoded and unencrypted cloud service credentials in mobile apps. This practice exposes critical infrastructure to potential attacks, endangering user data and backend services. The widespread nature of these vulnerabilities across both iOS and Android platforms underscores the urgent need for a shift towards more secure development practices.
Best Practices for Developers
To mitigate these risks, developers should follow best practices for managing sensitive information within their applications:
- Use Environment Variables: Store sensitive credentials in environment variables, which are loaded at runtime, instead of embedding them directly in the code.
- Implement Secrets Management: Utilize dedicated secrets management tools, such as AWS Secrets Manager or Azure Key Vault, to securely store and access credentials.
- Encrypt Sensitive Data: If credentials must be stored in the app, ensure they are encrypted using strong encryption algorithms, and decrypt them at runtime as needed.
- Code Reviews and Audits: Regularly conduct code reviews and security audits to identify and eliminate hardcoded credentials and other security vulnerabilities.
- Automate Security Scanning: Integrate automated security scanning tools into the CI/CD pipeline to detect hardcoded credentials and other common security flaws early in the development process.
By adopting these best practices, developers can significantly reduce the risk of exposing sensitive information and ensure that their applications are secure against potential threats. As the examples in this blog demonstrate, the stakes are high, and it is imperative that security be a top priority in the mobile app development lifecycle.
Protection/Mitigation
For the latest protection updates, please visit the Symantec Protection Bulletin.
Symantec recommends users follow these best practices to stay protected from mobile threats:
- Install a suitable security app, such as Symantec Endpoint Protection, to protect your device and data
- Refrain from downloading apps from unfamiliar sites and only install apps from trusted sources
- Keep your software up to date
- Pay close attention to the permissions that apps request
- Make frequent backups of important data
Appendix
List of apps with hardcoded credentials used in this research.
App Name | Downloads/Ratings | Threat Exposed |
---|---|---|
Pic Stitch | 5M+ download on Google Play | Amazon hardcoded credentials |
Crumbl | 3.9M+ ratings on Apple Store | Amazon hardcoded credentials |
Eureka: Earn money for surveys | 402.1K+ ratings on Apple Store | Amazon hardcoded credentials |
Videoshop - Video Editor | 357.9K+ ratings on Apple Store | Amazon hardcoded credentials |
Meru Cabs- Local, Rental, Outs | 5M+ download on Google Play | Microsoft Azure Blob Storage hardcoded credentials |
Sulekha Business-List & grow | 500K+ download on Google Play | Microsoft Azure Blob Storage hardcoded credentials |
ReSound Tinnitus Relief | 500K+ download on Google Play | Microsoft Azure Blob Storage hardcoded credentials |
Saludsa | 100K+ download on Google Play | Microsoft Azure Blob Storage hardcoded credentials |
Chola Ms Break In | 100K+ download on Google Play | Microsoft Azure Blob Storage hardcoded credentials |
EatSleepRIDE Motorcycle GPS | 100K+ download on Google Play | Twilio hardcoded credentials |
Beltone Tinnitus Calmer | 100K+ download on Google Play | Microsoft Azure Blob Storage hardcoded credentials |
Solitaire Clash: Win Real Cash | 244.8K ratings on Apple Store | Amazon hardcoded credentials |
Zap Surveys - Earn Easy Money | 235K ratings on Apple Store | Amazon hardcoded credentials |
We encourage you to share your thoughts on your favorite social platform.