Hardcoded credentials are often found in source code and refer to the practice of embedding “plain text passwords” and other “sensitive information” directly into applications.
Once the hardcoded credentials are compromised can allow unauthorized access to multiple systems and devices that share the “same default passwords,” which leads to widespread vulnerabilities and potential cyberattacks.
Cybersecurity researchers at Symantec recently discovered that hardcoded credentials in popular apps put millions of Android and iOS users at risk.
National Cybersecurity Awareness Month Cyber Challenges – Test your Skills Now
Hardcoded Creds In Popular Apps
Mobile applications with embedded hardcoded cloud service credentials represent a critical security vulnerability in today’s digital ecosystem, as evidenced by several popular apps like:-
- Pic Stitch (5+ million downloads)
- Crumbl (3.9+ million ratings)
- Eureka: Earn Money for Surveys (402.1K ratings)
- Videoshop – Video Editor (357.9K ratings)
The above-mentioned popular apps exposed their AWS credentials like “access keys” and “secret keys,” directly within their source code.
These apps implemented insecure practices by storing “unencrypted AWS S3 bucket access credentials,” “IoT service endpoints” (like ‘WebSocket Secure URLs – “wss://”‘), and “Microsoft Azure Blob Storage authentication tokens in their codebases,” which make them vulnerable to exploitation via “binary analysis” and “source code examination.”
For instance, Pic Stitch’s “loadAmazonCredential()” method and Crumbl’s “AWSStaticCredentialsProvider” implementation exposed production-level credentials that could grant unauthorized access to backend services, while Eureka’s “INMAWSCredentials” object initialization with plaintext credentials demonstrated similar security oversights.
This widespread practice of hardcoding cloud credentials without encryption and proper security measures puts millions of users’ data at risk of “theft,” “manipulation,” and “unauthorized access.”
While this leads to severe security breaches that affect both “user privacy” and “application infrastructure” integrity across the ‘Google Play Store’ and ‘Apple App Store’ platforms.
The critical vulnerabilities concern the mishandling of “Microsoft Azure Blob Storage” credentials via hardcoding practices.
The investigation revealed that popular apps like “Meru Cabs” (exceeding 5 million downloads), “Sulekha Business” (over 500,000 downloads), and “ReSound Tinnitus Relief” (surpassing 500,000 downloads) embedded “unencrypted connection strings” and “account keys” directly within their application binaries and source code by creating significant security exposures.
In the case of “Meru Cabs,” the “UploadLogs service” contained plaintext Azure credentials, while “Sulekha Business” implemented multiple hardcoded Azure connection strings across its codebase for managing various functionalities like “post creation,” “invoice processing,” and “user profile storage.”
Similarly, “ReSound Tinnitus Relief” exposed its “Azure Blob Storage” credentials used for managing “audio assets” and “sound files.”
This widespread practice of embedding unencrypted cloud service credentials poses severe security implications as malicious actors who gain access to these applications’ “binaries” or “source code” could extract these credentials.
At this point, it leads to “unauthorized access” to “sensitive cloud storage resources,” “data breaches,” and “compromise of backend infrastructure.”
The vulnerability pattern spans both “iOS” and “Android” platforms which highlights a systemic issue in mobile application development practices where developers compromise security by hardcoding cloud service authentication credentials instead of implementing “secure credential management systems.”
Mitigations
Here below we have mentioned all the mitigations:-
- Use Environment Variables
- Implement Secrets Management
- Encrypt Sensitive Data
- Code Reviews and Audits
- Automate Security Scanning
- Keep software up to date
- Do not download apps from unknown sources
- Install a proper security app
- Always pay close attention to the permissions that apps request
- Make sure to frequently backup important data
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here