Cybernews downloaded 156,000 iOS apps to find out whether they are safe or not, what sensitive secrets they leak. The results showed that about 71% of the iOS apps that were downloaded leak sensitive secrets which can put user data at risk. Most people may think that developers make apps that have the best interests of users but they are actually leaving plaintext credentials in the application code which can be accessible to anyone, especially hackers. Cybernews found that out of 71% of these apps leak 5.2 secrets on average.
Hardcoding secrets is a technique where sensitive information like passwords, API keys, and encryption keys are embedded in the application code, which makes it easily accessible to attackers. Secrets should be securely stored in servers and should never be hardcoded because it's a bad security practice but it isn't stopping developers from continuing to put user data and sensitive information at risk. Google’s project ID is the most leaked secret, followed by Google App ID and Google API key. Some of the leaked secrets do not provide direct access but they can help attackers exploit other user data.
One of the most sensitive leaked secrets is the storage bucket which is found in 78,343 Apple Store apps. It allows apps to interact with cloud services like Amazon S3 and Google Cloud Storage and if the authentication is not properly set up, attackers can read or delete stored data of users. Database URL is also a major leak found in 42,000 apps which specifies the location of app databases. Google Ads Application IDs, Google Project IDs, and App IDs are the unique identifiers that help apps communicate with Google services and if attackers find these in the app codes, they can locate exposed credentials, identify targets, and exploit other vulnerabilities.
OAuth Tokens which are used for user authentication are usually not exposed but the Client ID does. Attackers can use leaked Client IDs to create fake OAuth consent screens for phishing and hijacking user sessions. iOS apps often leak Facebook Client Token and Facebook App ID which are used for Facebook analytics, login, and sharing. Attackers can use these credentials to create phishing apps that are similar to real ones which can lead to account theft. Exposure of secrets in codes is a major security theft with over 23 million hardcoded secrets found in GitHub in 2024.
Read next: Who Will Influence USA’s AI Policy? Hugging Face Submits Its Recommendations
Hardcoding secrets is a technique where sensitive information like passwords, API keys, and encryption keys are embedded in the application code, which makes it easily accessible to attackers. Secrets should be securely stored in servers and should never be hardcoded because it's a bad security practice but it isn't stopping developers from continuing to put user data and sensitive information at risk. Google’s project ID is the most leaked secret, followed by Google App ID and Google API key. Some of the leaked secrets do not provide direct access but they can help attackers exploit other user data.
One of the most sensitive leaked secrets is the storage bucket which is found in 78,343 Apple Store apps. It allows apps to interact with cloud services like Amazon S3 and Google Cloud Storage and if the authentication is not properly set up, attackers can read or delete stored data of users. Database URL is also a major leak found in 42,000 apps which specifies the location of app databases. Google Ads Application IDs, Google Project IDs, and App IDs are the unique identifiers that help apps communicate with Google services and if attackers find these in the app codes, they can locate exposed credentials, identify targets, and exploit other vulnerabilities.
OAuth Tokens which are used for user authentication are usually not exposed but the Client ID does. Attackers can use leaked Client IDs to create fake OAuth consent screens for phishing and hijacking user sessions. iOS apps often leak Facebook Client Token and Facebook App ID which are used for Facebook analytics, login, and sharing. Attackers can use these credentials to create phishing apps that are similar to real ones which can lead to account theft. Exposure of secrets in codes is a major security theft with over 23 million hardcoded secrets found in GitHub in 2024.
Read next: Who Will Influence USA’s AI Policy? Hugging Face Submits Its Recommendations
