Downloading an app should be safe. Unfortunately, this isn’t always the case. A Cybernews investigation found that 71% of iOS apps leak sensitive secrets, putting your data at risk.
When downloading an app, it’s natural to expect the developers to have your best interests at heart. But that’s not always the case – in fact, it’s often quite the opposite.
Cybernews researchers downloaded 156,000 iOS apps, which is around 8% of all apps on the Apple Store, to discover that app developers are leaving plaintext credentials in the application code accessible to anyone. The findings reveal staggering numbers: 71% of the analyzed apps leak at least one secret, with an average app's code exposing 5.2 secrets.
Whether due to unintentional slip-ups or outright neglect, this poses significant security threats for unknowing users. While many of the commonly leaked secrets may seem harmless, some can potentially grant attackers dangerous access to your most private data.
What is a hardcoded secret?
Hardcoding secrets is the practice of directly embedding sensitive information such as API keys, passwords, or encryption keys in the application code, which is accessible to anyone.
To put it simply, it's like leaving your house key under the mat at your front door. As an attacker, you only need to look under it to gain easy access.
Secrets should never be hardcoded in the app code, as threat actors can easily exploit them. Instead, they should be securely stored on your servers.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have identified hardcoding secrets as a bad security practice. However, this does not seem to have stopped developers from continuing to leave sensitive information out in the wild.
What secrets do iOS apps leak the most?
The app needs these endpoints, tokens, and IDs to authenticate, access, and manage various services and APIs, such as Google Cloud, Firebase, Facebook, and ad platforms.
Some of the leaked secrets can't grant unauthorized access by themselves, but they are often used to exploit other leaked secrets or identify target endpoints. Attackers can use them to launch credential stuffing and brute-force attacks or look for misconfigurations and vulnerabilities.
However, a few of the top ten exposed secrets are extremely sensitive, as they could allow attackers to access app databases with user data if the endpoints are misconfigured.
These secrets could grant access to your private data
The Storage Bucket is one of the most sensitive leaked secrets. We found it exposed in 78,343 Apple Store apps. This endpoint identifier typically allows an app to access and interact with cloud storage services, such as Google Cloud Storage or Amazon S3.
If proper authentication is not set up or the credentials are simply left in the application code, attackers could read or delete data stored in the cloud, putting user data at risk.
Another highly sensitive secret that was discovered is the Database URL. This endpoint specifies where the database for that specific app is located. Over 42,000 tested apps had this secret exposed.
If the Firebase endpoint isn’t secured or authentication secrets are exposed, attackers could access user data stored in the database.
“These are some of the most important leaked endpoints, as they specify where user data is stored, while databases typically store user information such as activity logs, usernames, email addresses, and passwords,” Aras Nazarovas, a security researcher at Cybernews, explained.
“Cloud storage typically stores user-uploaded files, such as work documents or images sent through in-app chats,” he added.
What can attackers do with your secrets?
Google Project IDs, Google Ads Application IDs, and App IDs are unique identifiers that apps need when communicating with Google services, such as Google Maps, Google Analytics, Google Ads, Firebase, or Cloud Storage.
Suppose attackers stumble upon them in the app code. In that case, they can use them to identify the target, which makes it easier to locate other exposed credentials or vulnerable endpoints to exploit.
Combined with other credentials, such as API keys, attackers could try to access Google services linked to that app. Attackers could also try to impersonate the app, allowing them to gain unauthorized access to services, modify and steal private data, or carry out malicious actions, such as overloading the API with fake requests.
While OAuth tokens, essential for user authentication, are typically not exposed, the client ID accompanying them is one of the most commonly leaked secrets.
Attackers can use a leaked Client ID to create fake OAuth consent screens and phish users into granting access to their accounts. If an app does not properly validate tokens, an attacker could also use a stolen Client ID to hijack sessions.
These secrets could help attackers access Facebook accounts
iOS apps also commonly leak Facebook App ID and Facebook Client Token. These secrets help to identify the app in Facebook's ecosystem, enabling features like Facebook Login, Analytics, and Sharing.
Attackers could use these credentials to create phishing apps that mimic legitimate ones, potentially leading to user account theft.
As a client token is used to authenticate API requests to Facebook on behalf of an app, attackers could use leaked tokens to make requests to Facebook Graph API.
Why are we in trouble?
The trend of leaving the secrets exposed in the code is extremely widespread. Security firm GitGuardian revealed that throughout 2024, developers committed code to GitHub with over 23 million new hardcoded secrets.
“Because these secrets are so widespread and easy to exploit, this type of vulnerability is considered the biggest threat to mobile applications,” said Nazarovas.
“This signals malicious actors that a lot of apps are vulnerable, and they don't need to put in a lot of effort to exploit them. This is motivating for a large number of threat actors to exploit them at scale,” he adds.
Global security concerns exist as the cyber threat never sleeps, and a single secret, such as an API key, can cause massive problems. In December 2024, Chinese state-sponsored hackers remotely accessed the US Treasury Department by exploiting a compromised API key from BeyondTrust, a technical support provider.
Verizon's report shows that over the past decade, stolen credentials were involved in 31% of all breaches. What is especially troublesome is that breaches caused by stolen or compromised credentials are the most difficult to detect. According to IBM’s report, they take an average of 292 days to identify and resolve – longer than any other attack method.
Your email address will not be published. Required fields are markedmarked