Massive research into iOS apps uncovers widespread secret leaks, abysmal coding practices

Most apps on Apple’s App Store seem to leak at least one hard-coded secret. Many high-sensitivity secrets were found, including keys to cloud storage, various APIs, and even payment processors. Some endpoints are left completely unprotected, putting users at risk.

Apple’s App Store is renowned for its walled garden approach and strict app review process. However, it doesn’t evaluate the app code for hardcoded secrets.

Cybernews research into more than 156,000 iOS apps has unveiled more than 815,000 hardcoded secrets, including thousands that are very sensitive and could lead directly to breaches or data leaks.

The average app's code exposes 5.2 secrets, and 71% of apps leak at least one secret.

The majority of secrets could be disregarded as low sensitivity. However, that still leaves too many very sensitive keys exposed by app developers.

“Many people believe that iOS apps are more secure and less likely to contain malware. However, our research shows that many apps in the ecosystem contain easily accessible hardcoded credentials. We followed the trail and found open databases with personal data and accessible infrastructure,” Aras Nazarovas, a security researcher at Cybernews, said.

“Some iOS developers just make it too easy for hackers.”

Hardcoding secrets is the practice of directly embedding sensitive information such as API keys, passwords, or encryption keys in the source code. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have identified it as a bad security practice and discouraged it.

Credentials placed in client applications are accessible to anyone, and threat actors can easily abuse them to gain access to systems.

Key takeaways

• Almost 83,000 hardcoded Cloud storage endpoints, 836 of which do not require authentication, leaking 406TB of data.
• Over 51,000 Firebase endpoints, thousands open to outsiders.
• Thousands of keys exposed for Fabric API, Live Branch, MobApp Creator, and others.
• Hundreds of the most sensitive keys can be abused to issue payments and refunds and obtain private data and communications.

Methodology

The Cybernews Research team selected, extracted, and analyzed the code of 156,080 randomly selected iOS apps for hardcoded secrets. Apple claims that 1.8M apps are available in the App Store worldwide, meaning that the research covered around 8% of apps. The analyzed application versions were from October 2nd-16th, 2024.

The researchers didn’t attempt to de-obfuscate or de-compile the apps. Despite that, a staggering amount of secrets were found in plaintext files stored within the apps’ IPA archives, which can be easily extracted.

Cybernews also checked the cloud bucket and Firebase endpoints to see if they had authentication.

Vast number of low-sensitivity keys signals bad practices

The most commonly leaked keys and IDs are low-sensitivity and are not used for authentication.

Cybernews researchers extracted around 79,000 Google Project IDs, which are unique identifiers for Google Cloud Platform projects. These IDs are used to route API requests and manage resources. Apps need to include them when communicating with Google, which uses them for organization and billing.

A similar number (79,000), of Google App IDs was also discovered. These keys are used to identify apps displaying ads and track usage statistics. They’re meant to be integrated into the source code.

Other most commonly leaked low-sensitivity secrets include almost 68,000 Client IDs, 43,000 Google AdMob Application IDs, 37,000 Facebook App IDs (which are used to interact with the platform’s services), 20,000 Android Client IDs, and almost 17,000 Facebook Client tokens.

“These secrets alone are not enough to gain unauthorized access to protected resources, but they are often required to abuse other leaked secrets or to identify target endpoints. However, some other secrets, such as Firebase endpoints or cloud storage endpoints can be derived from project ID or other keys,” Nazarovas said.

Google’s API keys, however, must be protected. Cybernews found 78,800 of these keys embedded in iOS apps. According to Google, exposed keys can result in the account being compromised. They are used to authenticate requests to various APIs, granting access to Google’s services.

“A large amount of Google IDs and keys in iOS apps demonstrate Google’s strong presence in mobile app development frameworks used by developers. Any leaking keys signal bad coding practices. Threat actors can abuse the combinations of various keys and expose the developers and app users to unnecessary risks,” Nazarovas said.

Where things start to get interesting: 78,000 apps expose cloud storage buckets

Over half of iOS apps expose their cloud storage bucket endpoints, which is a major oversight. Buckets are simple storage services used to store files and data.

Cybernews researchers discovered over 78,000 apps with Storage Bucket instances hardcoded in the source code. Some apps contained more than one storage bucket endpoint, bringing the total number of buckets to over 94,000.

In the past, even when knowing just the bucket name or the path, hackers gained access by exploiting misconfigurations or weak permissions, using credential stuffing, brute force, or social engineering attacks. Sometimes, this can lead to racked-up cloud bills or even an account compromise.

However, in some cases here, attackers wouldn’t need to sweat. At least 836 (0.89%) of these endpoints did not require authentication to access.

In the open instances, the Cybernews research team found over 76 billion exposed files, resulting in over 406TB of data being leaked across all the publicly accessible storage buckets.

“Attackers could read, download, or delete the data stored in the cloud. It usually includes registration data, user-uploaded files, backups, receipts, reports, app logs, and other details,” Nazarovas said.

Over 4% of Firebase endpoints left unprotected

The Cybernews researchers extracted over 51,000 Firebase endpoint URLs from the analyzed iOS apps. Firebase is Google’s app development platform, providing many tools and services, such as databases, storage, authentication, and others.

This identifier doesn’t automatically mean that attackers can get in. However, 2,218 (4.3%) of these endpoints didn’t require authentication to access. In these open instances, the research team discovered 19.8 million records exposed, resulting in 33GB of data leaking. Almost all of the instances were hosted in the US.

“If the Firebase endpoint has no authentication set up, or if authentication secrets are also leaked, malicious actors could access user data stored within the database,” Nazarovas explained.

Thousands of Fabric API and Live Branch keys expose users

The analyzed iOS apps also contained 8,400 Fabric API Keys for accessing the Fabric order management system. App developers use Fabric to manage, track, and fulfill orders. However, for threat actors, this is a gateway to users’ personal data.

“These API Keys can likely be used to obtain information on user orders, which often includes names, addresses, email addresses, order tracking information, and partial or full payment information,” Nazarovas explained.

The other most numerous sensitive hardcoded secret was Live Branch Keys, granting access to marketing and user data on Branch.io. Researchers found over 3,300 of these keys.

“Branch.io is a marketing platform used to track marketing campaigns and provide advanced deep-linking features. Using the leaked keys, attackers may be able to obtain user information such as phone numbers, email addresses, and app usage data for specific users.”

Maximum severity: leaking financial information and comms

The most sensitive secrets were the 19 Stripe secret keys, which directly control financial transactions. Stripe is widely used by e-commerce and even fintech companies to handle online payments.

“Compromised Stripe secret keys can be used by attackers to issue payments and refunds, and list user information such as billing addresses, names, and payment information. Extracted from plain text, these keys can directly lead to fraud and financial loss,” Nazarovas warned.

Cybernews researchers also found 367 JWT (JSON Web Token) secret keys. They control authentication and authorization and are used to validate and sign web requests.

“An attacker with access to the JWT secret key may craft their own malicious requests, allowing them to perform attacks such as session hijacking, arbitrarily changing user data such as addresses or passwords or privileges,” Nazarovas explained.

At least 76 Twitter accounts are up for grabs, as the analyzed iOS apps contained that many Twitter Consumer secrets. The keys can be used to manage Twitter accounts, including reading direct messages, creating posts, liking or retweeting, removing or adding followers, and accessing account settings.

And there are many more very sensitive hardcoded secrets.

MobApp Creator is an online mobile app creation service that includes integration with ad networks, push notifications, and e-commerce integrations. The discovered 490 MobApp Creator API Secrets can be abused to gain access to personal information such as names, addresses, phone numbers, email addresses, payment information, and viewed ads.

Attackers could also abuse them to view the contents of push notifications and potentially create and push their own notifications.

Almost 80 Braze (customer engagement platform) API Keys could be used to track user purchases and activities, delete accounts, get user email addresses, and send push notifications and SMS messages.

Over 260 Raygun (a software monitoring tool) API keys would reveal user information, such as location, names, email addresses, activity logs, IP addresses, and device diagnostic data.

There were also 254 Firebase Dispatch FCM API Keys which can be abused to create and read push notifications.

“API tokens, username-password pairs, private- keys, and similar sensitive secrets are straightforward to exploit and can lead to account takeovers, access to data stored within these accounts, unauthorized actions such as financial transactions, and lateral movement to other services and infrastructure,” Nazarovas explained.

It’s time to handle secrets properly

Unfortunately, app users can’t easily check apps for hardcoded secrets or rely on App Store reviewers to check for them. The best approach would be to rely on apps from credible, established developers, limit app permissions, and be cautious about entering personal details. Unused apps should be deleted.

It's up to app developers to ensure there are no security holes. And getting rid of hardcoded secrets from the published project is not simple.

“To resolve the issues of leaked credentials, new credentials need to be generated, and old ones need to be revoked. When credentials are revoked, they will break the functionality of the app that relies on accessing the affected service until the app is configured to use new credentials,” Nazarovas said, outlining the first step.

Ensuring that credentials are no longer stored within the client (app) may require relatively significant architectural changes. Cybernews researchers recommend storing secrets privately on the backend server or using client-safe SDKs. This approach routes user requests through a proxy server that holds credentials securely.

Don’t miss our latest stories on Google News

Follow us

This can ultimately introduce new bugs or other mistakes that could break the app, compromise its security, and even prompt the App Store to reject the update.

“Developers face a dilemma: either they have to quickly take the leaking app offline, possibly interrupting the services, or they continue running a vulnerable version for weeks until the update gets developed, reviewed, and approved,” Nazarovas said.

Apple claims that reviewing an app update takes only 24 hours in 90% of cases. However, the App Store Review process can sometimes take up to a few weeks.

Apple is the largest US company by market capitalization and the most prominent brand in the US smartphone market, holding the majority market share of 53.1%. The App Store is the sole app distribution marketplace for the platform in the US.

Cybernews reached out to Apple for comments on research findings, but did not receive a response before publishing this article.