Tech Report is one of the oldest hardware, news, and tech review sites on the internet. We write helpful technology guides, unbiased product reviews, and report on the latest tech and crypto news. We maintain editorial independence and consider content quality and factual accuracy to be non-negotiable.
Cybersecurity researchers at Symantec discovered 9 apps that are putting the data of millions of Android and iOS users at risk with hardcoded credentials.
Hardcoded credentials refer to those passwords and sensitive details that are directly embedded in the source code of the app.
This type of information is easy to compromise during an attack.
A recent analysis by cybersecurity researchers, Yuanjing Guo and Tommy Dong, at Symantec found hardcoded credentials in popular apps (available on Google Play Store & Apple App Store) that put millions of iOS and Android users at risk.
‘The widespread nature of these vulnerabilities across both iOS and Android platforms underscores the urgent need for a shift towards more secure development practices’ – Symantec research report
For those who don’t know, hardcoded credentials refer to plain text passwords or other sensitive data that are directly embedded in the source code of an application.
Hardcoding makes them more susceptible to attacks and once they are compromised, all online accounts of the user that share the same password will be at risk.
List of Apps That Had Hardcoded Credentials
Here’s a list of all the apps that had hardcoded credentials, according to Symantec. Please note this list is not exhaustive, there might be other apps out there with the same issue.
Meru Cabs – It’s an Indian taxi-hailing service with more than 5 million downloads. It had hardcoded credentials of Microsoft Azure.
Eureka – This is a survey-taking app that hardcoded AWS credentials in the app, along with access and secret keys that were hidden in plain text.
The Pic Stitch – This is a collage editing app with more than 5 million users and it also has hardcoded AWS credentials that would not only give the attacker access to production credentials but also a linked Amazon S3 bucket name, access keys, and secret keys.
Sulekha Business – This is a digital platform for local businesses. As per the analysis, it contains at least one hardcoded Azure credential plain-text connection string that gives access to Azure Blob Storage containers.
Videoshop – This is a video editor that also has hardcoded AWS credentials that will not only allow the attacker to steal data but also access and disrupt the backend infrastructure.
Crumbl – This is a popular cookie-ordering app for iOS users. It has hardcoded AWS plain-text credentials along with an access key and secret key. There’s another major security vulnerability –a WebSocket Secure (WSS) endpoint is included within the code – wss://***.iot.us-west-2.amazonaws.com.
EatSleepRIDE Motorcycle GPS – This forum app with more than 100,000 users has hardcoded Twilio credentials.
ReSound Tinnitus Relief and Beltone Tinnitus Calmer – These sound therapy app has more than 500,000 users’ Azure Blob Storage credentials.
So What Can Users Do Now?
The best fix for this issue can only come from the app developers. They need to tweak the code and do a better job of hiding the credentials. However, until that happens, users can use third-party apps to prevent any risk that might happen as a consequence of this coding error.
Other than that, just be careful of the apps you are downloading and make sure you are only downloading them from trusted sources. Also, only share the permissions that are absolutely required to run the app, no need to share a bunch of permissions unnecessarily.
