More than half of the 30,000 Android apps investigated are leaking secrets that could have huge repercussions for both app developers and their customers.
New research from Cybernews shows that thousands of apps have secrets encrypted. This means that a malicious actor (and not necessarily a very skilled one) could gain access to API keys, Google storage buckets, and unprotected databases, and ultimately exploit that information to their advantage simply by analyzing the available information. publicly about the apps.
As if that wasn’t enough, Cybernews found dozens of malicious apps in the Google app store and a logical hole in Google services, leaving Android users vulnerable to malware infections.
“Encrypting sensitive data on the client side of an Android app is a bad idea. In most cases, it can be easily accessed through reverse engineering,” said Vincentas Baubonis, a researcher at Cybernews.
The research team investigated 42,799 apps from the Google Play Store and was able to download 33,334 of the initially identified apps, including approximately 6,000 of the most popular apps.
The team was unable to extract secrets from 9,465 initially identified target applications due to regional limitations on downloads, corrupted downloaded files, or application code obfuscation.
However, after a month-long investigation of more than 30,000 apps, the researchers came to some important conclusions. First, a large scale of data can be analyzed with what Baubonis called a mediocre infrastructure in just a few weeks. A persistent threat actor with more advanced tools could extract more secrets in a shorter period and then use them for malicious purposes.
Second, 55.94% (18,647) of apps had encrypted secrets, including different API (Application Programming Interface) keys and even links to open databases that expose sensitive corporate and user data.
In total, the researchers found more than 124,000 strings that could leak sensitive data. Less than half of the apps analyzed had no secrets encrypted within the app.
Twenty-two unique types of secrets were discovered, with various API keys, Firebase open datasets, and links to Google storage buckets being the most sensitive.
We found the most hard-coded secrets in apps within these five categories: Health & Fitness, Education, Tools, Lifestyle, and Business.
After analyzing the data, the researchers found more than 14,000 Firebase URLs, and 606 were links to open Firebase instances.
Essentially, Firebase is a JSON database that stores public or private information about an app or its users. It is the most popular storage solution for Android apps.
Google also provides this service, so application developers would not have to worry about setting up and maintaining their databases. Sometimes misconfiguration of these databases leads to data leaks when Firebases are left open for public access.
The following five categories have the highest percentage of open Firebase instances: Personalization (14.76%), Video Players (12.86%), Parenting (10.53%), Libraries and Demos (10.00%) and games and music (9.09%).
Google’s logical flaw
Extensive investigation of Android apps also led our team to discover a basic logical flaw in Google’s cloud services.
It appears that users can download an app from the Play Store without receiving any warning or notification that it might be malicious.
The Cybernews research team downloaded apps directly from the Google Play Store to a computer. For proper analysis, the team had to upload those apps to Google Drive and download them to another computer.
However, when our researchers tried to download some of the apps from Google Drive, Google warned of their potential dangers, and the APK (Android Package Kit) couldn’t even run without some kind of emulation/virtual environment.
Out of more than 33,000 apps, the researchers were unable to download 44 apps from Google Drive even though they had no problem downloading them directly from the Play Store.
Given that the team analyzed only 33,000 apps out of the 3.5 million in the App Store, it is likely that many more malicious apps can be downloaded through an official app distribution channel.
Google storage cubes
Our research team also found 17,557 Google Cloud Storage (GCS) buckets – links to storage where anything from text files to images and videos can be stored.
If left open, a threat actor could read and write any information within it. Security misconfigurations typically occur during setup when the cube is left open to anyone with an Internet connection or any authenticated Google user.
The largest number of GCS cubes were discovered within these five categories: health and fitness (1,205), education (1,168), tools (1,135), lifestyle (794), and business (726).
Cybernews researchers discover 109 Facebook client tokens and 2,151 Facebook app IDs. App IDs, along with customer tokens, allow you to create an account within the app by using Facebook as an oAuth (open authorization) service, which is used to grant access to websites and apps to users. user data without having to share passwords.
With these two accessible keys and a bunch of Facebook bot accounts, one can easily spam the app with a ridiculously large number of users, thus disrupting its normal activity and causing a denial of service.
The majority of Facebook IDs were discovered in these categories: health and fitness (246), shopping (146), lifestyle (121), casual games (104), and puzzle games (87). The largest number of customer tokens was found within shopping, strategic gaming, health and fitness, finance, and entertainment categories.
Accessible API keys
All of the categories the team analyzed store encrypted application programming interface (API) keys. API keys are typically used for authentication purposes to allow applications to recognize individual users and vice versa. Storing API keys can lead to security issues if a threat actor finds a way to access them.
Google API keys are usually encrypted within applications. In total, our team discovered 17,767 Google API keys.
It’s not uncommon to leave API information accessible, especially with APIs that don’t store sensitive data. However, even that is not recommended as an accessible API could affect the overall performance of the application.
Our team also discovered some hard-coded internal APIs within the apps. They are usually extremely sensitive and should not be left in the public domain.
Earlier this year, Cybernews published a story that is a shining example of how dangerous leaving the admin key in the app interface can be. Service providers using Onfido, an identification verification (IDV) service, exposed an API token, leaving millions of customers of large companies, such as Europcar, vulnerable to identity theft.
Recently, the cybersecurity firm CloudSEK discovered 3,207 apps leaking Twitter API keys. By making use of them, threat actors could access and even take over Twitter accounts and create armies of bots for various purposes, such as disinformation or cryptocurrency scams.
Russia continues to see value in Wikipedia despite patchy efforts to replicate it
Russian streaming giant suffers massive data leak affecting 44 million users
Insta360 vulnerability allows unauthorized access to user photos
The dark web is too shady for professionals monitoring the subway
Moldova, Montenegro and Slovenia suffer from massive cyberattacks. Is Russia to blame?
Italian firm accused of running Pegasus-style spyware
Subscribe to our newsletter