Posted: 5 Min ReadThreat Intelligence

Exposing the Danger Within: Hardcoded Cloud Credentials in Popular Mobile Apps

Examining the hidden risks posed to user privacy and security due to presence of hardcoded credentials within popular mobile apps.

Mobile apps have become an essential part of our everyday lives, with millions of apps downloads on platforms like the Google Play Store and Apple App Store, a hidden threat has emerged that could put user data and backend services at significant risk. 

Recent analysis has uncovered a troubling trend: several widely-used apps have been found to contain hardcoded and unencrypted cloud service credentials within their codebases. This dangerous practice means that anyone with access to the app's binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to severe security breaches. 

In this blog, we will explore specific examples of these vulnerabilities, focusing on apps that have hardcoded Amazon Web Services (AWS) and Microsoft Azure Blob Storage credentials, and discuss best practices that developers should adopt to prevent such issues.

Hardcoded AWS Credentials in Mobile Apps

The Pic Stitch: Collage Maker app, with over 5 million downloads on the Google Play Store, has been found to contain hardcoded AWS credentials directly within its code, posing a significant security risk. The code snippet from Jadx (Figure. 1-3) reveals that the app uses the method loadAmazonCredential(boolean z) to load the appropriate credentials depending on the environment. If the boolean flag is set to true, the app loads the production credentials, including the production Amazon S3 bucket name, the read and write access keys, and secret keys. Conversely, if the flag is false, the app loads the corresponding staging credentials.

Figure 1. Pic Stitch hardcoded credentials code
Figure 1. Pic Stitch hardcoded credentials code
Figure 2. Pic Stitch credential loading code
Figure 2. Pic Stitch credential loading code
Figure 3. Pic Stitch upload file code
Figure 3. Pic Stitch upload file code

Similarly, the same type of insecure credential management has been uncovered in several popular iOS apps (Figure. 4), all of which have embedded hardcoded and unencrypted AWS credentials within their codebases. Three apps in particular—Crumbl, Eureka: Earn Money for Surveys, and Videoshop - Video Editor—exemplify this widespread problem.

Figure 4. Pic Stitch upload file code
Figure 4. Pic Stitch upload file code

Crumbl

With over 3.9 million ratings and ranked number 5 in the Food & Drink category on the Apple Store, Crumbl’s code (Figure. 5) initializes an AWSStaticCredentialsProvider with plain-text credentials, including an access key and secret key. These credentials are used to configure AWS services, leaving them exposed and vulnerable to misuse. Furthermore, the inclusion of a WebSocket Secure (WSS) endpoint within the code—"wss://***.iot.us-west-2.amazonaws.com"—highlights a significant security oversight. This endpoint, part of the Amazon API URL, is hardcoded with an API Gateway that directly connects to the IoT services on AWS. Exposing such URLs alongside static credentials makes it easier for attackers to potentially intercept or manipulate communications, leading to unauthorized access to the associated AWS resources. This configuration, without proper encryption or obfuscation, presents a serious risk to the integrity of the application and its backend infrastructure.

Figure 5. Crumbl IDA code with hardcoded AWS credentials
Figure 5. Crumbl IDA code with hardcoded AWS credentials

Eureka: Earn Money for Surveys

This app, with 402.1K ratings and ranked 61 in the Lifestyle category, hardcodes AWS credentials directly within its code. (Figure. 6) The app allocates an INMAWSCredentials object and initializes it with the access key and secret key, both stored in plain text. These credentials are used to log events to AWS, exposing critical cloud resources to potential attacks.

Figure 6. Eureka IDA code with hardcoded AWS credentials
Figure 6. Eureka IDA code with hardcoded AWS credentials

Videoshop - Video Editor

With 357.9K ratings, Videoshop directly embeds AWS credentials in the -[VSAppDelegate setupS3] method. (Figure. 7) These credentials are not encrypted, meaning anyone with access to the app's binary could easily extract them, gaining unauthorized access to the associated S3 buckets and potentially leading to data theft or manipulation.

Figure 7. Videoshop IDA code with hardcoded AWS credentials
Figure 7. Videoshop IDA code with hardcoded AWS credentials

In all of these example apps, hardcoded credentials are used to authenticate with various AWS services, such as S3 buckets for storage and IoT data management. This common practice of embedding sensitive information like AWS keys directly within the code, without any form of encryption or protection, poses a severe risk. Attackers who gain access to these credentials could exploit them to compromise the app's backend infrastructure, steal user data, or cause service disruptions.

 

Hardcoded Azure Credentials in Mobile Apps

A similar security issue has been identified in several popular Android apps (Figure. 8) that have hardcoded and unencrypted Microsoft Azure Blob Storage credentials within their source code. These credentials, embedded directly into the apps' binaries, pose significant risks to both the security and privacy of the apps' users.

Figure 8. Example apps on Google Play Store page with hardcoded Azure credentials
Figure 8. Example apps on Google Play Store page with hardcoded Azure credentials

Meru Cabs

With over 5 million downloads on the Google Play Store, Meru Cabs hardcoded Azure credentials within the UploadLogs service (Figure. 9), embedding a connection string that includes an account key. This connection string is used to manage log uploads, exposing critical cloud storage resources to potential abuse.

Figure 9. Meru Cabs Jadx code with hardcoded Azure credentials
Figure 9. Meru Cabs Jadx code with hardcoded Azure credentials

Sulekha Business

This app, with over 500K downloads, embeds multiple hardcoded Azure credentials across its codebase. (Figure. 10) These credentials are used for various purposes, such as adding posts, handling invoices, and storing user profiles. The use of plain-text connection strings to access Azure Blob Storage containers puts sensitive data at significant risk.

Figure 10. Sulekha Business Jadx code with hardcoded Azure credentials
Figure 10. Sulekha Business Jadx code with hardcoded Azure credentials

ReSound Tinnitus Relief

With over 500K downloads, ReSound Tinnitus Relief also hardcodes its Azure Blob Storage credentials. (Figure. 11) These credentials are used to manage various assets and sound files, and their exposure could lead to unauthorized access and data breaches.

Figure 11. ReSound Tinnitus Relief Jadx code with hardcoded Azure credentials
Figure 11. ReSound Tinnitus Relief Jadx code with hardcoded Azure credentials

These hardcoded credentials not only expose the Azure Blob Storage accounts to unauthorized access but also put user data and backend resources at risk. Anyone with access to the app's binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to severe security breaches. This repeated pattern of insecure credential management across multiple apps highlights the critical need for developers to adopt more secure practices.

 

Conclusion

The examples highlighted in this blog demonstrate the serious security risks posed by hardcoded and unencrypted cloud service credentials in mobile apps. This practice exposes critical infrastructure to potential attacks, endangering user data and backend services. The widespread nature of these vulnerabilities across both iOS and Android platforms underscores the urgent need for a shift towards more secure development practices.

Best Practices for Developers

To mitigate these risks, developers should follow best practices for managing sensitive information within their applications:

  • Use Environment Variables: Store sensitive credentials in environment variables, which are loaded at runtime, instead of embedding them directly in the code.
  • Implement Secrets Management: Utilize dedicated secrets management tools, such as AWS Secrets Manager or Azure Key Vault, to securely store and access credentials.
  • Encrypt Sensitive Data: If credentials must be stored in the app, ensure they are encrypted using strong encryption algorithms, and decrypt them at runtime as needed.
  • Code Reviews and Audits: Regularly conduct code reviews and security audits to identify and eliminate hardcoded credentials and other security vulnerabilities.
  • Automate Security Scanning: Integrate automated security scanning tools into the CI/CD pipeline to detect hardcoded credentials and other common security flaws early in the development process.

By adopting these best practices, developers can significantly reduce the risk of exposing sensitive information and ensure that their applications are secure against potential threats. As the examples in this blog demonstrate, the stakes are high, and it is imperative that security be a top priority in the mobile app development lifecycle.

 

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Symantec recommends users follow these best practices to stay protected from mobile threats:

  • Install a suitable security app, such as Symantec Endpoint Protection, to protect your device and data
  • Refrain from downloading apps from unfamiliar sites and only install apps from trusted sources
  • Keep your software up to date
  • Pay close attention to the permissions that apps request
  • Make frequent backups of important data

 

Appendix

List of apps with hardcoded credentials used in this research.

App NameDownloads/RatingsThreat Exposed
Pic Stitch 5M+ download on Google Play Amazon hardcoded credentials
Crumbl 3.9M+ ratings on Apple Store Amazon hardcoded credentials
Eureka: Earn money for surveys 402.1K+ ratings on Apple Store Amazon hardcoded credentials
Videoshop - Video Editor 357.9K+ ratings on Apple Store Amazon hardcoded credentials
Meru Cabs- Local, Rental, Outs 5M+ download on Google Play Microsoft Azure Blob Storage hardcoded credentials
Sulekha Business-List & grow 500K+ download on Google Play Microsoft Azure Blob Storage hardcoded credentials
ReSound Tinnitus Relief 500K+ download on Google Play Microsoft Azure Blob Storage hardcoded credentials
Saludsa 100K+ download on Google Play Microsoft Azure Blob Storage hardcoded credentials
Chola Ms Break In 100K+ download on Google Play Microsoft Azure Blob Storage hardcoded credentials
EatSleepRIDE Motorcycle GPS 100K+ download on Google Play Twilio hardcoded credentials
Beltone Tinnitus Calmer 100K+ download on Google Play Microsoft Azure Blob Storage hardcoded credentials
Solitaire Clash: Win Real Cash 244.8K ratings on Apple Store Amazon hardcoded credentials
Zap Surveys - Earn Easy Money 235K ratings on Apple Store Amazon hardcoded credentials

About the Author

Yuanjing Guo

Software Engineer

Yuanjing is a member of Symantec's Security Technology and Response team who are focused on researching and developing automation technologies in mobile security.

About the Author

Tommy Dong

Sr Princ Software Engineer

Tommy is a member of Symantec's Security Technology and Response team who are focused on researching and providing protection against current and future cyber threats.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.