- Security researchers from Cybergenws found thousands of iOS apps with hard -coded secrets
- The secrets could be used in data leakage or wire fraud
- Most of the secrets can be disregarded as low sensitivity
Researchers from the Cyberernews team have found evidence to suggest that thousands of App Store applications have left hard -coded secrets in their code, which has resulted in the user’s sensitive information being exposed to cyber criminals.
The researchers analyzed more than 156,000 iOS apps and discovered more than 815,000 hard -coded secrets, of which thousands were “very sensitive and could lead directly to violations or data leaks.”
A “secret” is a broad expression and includes things like API keys, passwords or encryption keys. Being “hard coded” means that the developers add these things directly to the source code. The general consensus is that they do it as it is convenient in production, and often just forget to remove the secrets when the app goes live.
Skyinfo, API -Keys, Stripedata
The average app’s code exposes 5.2 secrets, and 71% of apps delicious at least one secret, Cybergenws reported.
The majority of these secrets can be disregarded, they are explained as they cannot be used in criminal attacks. However, they found nearly 83,000 hard -coded cloud storage points, 836 of which do not require approval and could leak more than 400 TB of data. They also found 51,000 Firebase points, of which “thousands” are open to outsiders, as well as thousands of exposed keys to fabric API, Live Branch, Mobapp Cretor and others.
However, the biggest problem was Stripe Secret Keys, which directly controls financial transactions. “Stripe is widely used by e-commerce and even fintech companies to handle online payments,” Cybergenws explained before saying its team found 19 Stripe Secret Keys.
“Many people think iOS apps are more secure and less likely to contain malware. However, our research shows that many apps in the ecosystem contain easily accessible hard -coded credentials. We followed the track and found open databases with personal information and available infrastructure, ”said Aras Nazarovas, a security researcher at Cyberenws.
“Some iOS developers just make it too easy for hackers.”
We have reached Apple for comment and update the article when we hear back.
Via Cygenerws
