Client side security issues have the potential to lead to a product’s backend being compromised. 3% of the Android apps that we looked at contained secrets that exposed the backend infrastructure.
We did research on 2,000 Android apps, just over 50 had app secrets that would lead to a complete backend breach.
What are these secrets?
We looked for references to AWS, GCP, Twitter, GitHub and other popular services and devised rules to look for those types of keys in Java string references.
A real world example
What are the consequences?
Attackers would be able to takeover sensitive customer data across the entire app, with the potential for access to entire clusters of servers and databases.
Why is this happening?
There are a lot of scenarios where developer will leave in extra code that has no role in the production version of the app, e.g. a Java library was created to deal with this data with the intention of secure use on the backend, the developers find the library helpful for something else and it gets included in the app. The problem is, all of the library code is now available, including the parts that deal with the backend.
Is there more?
Across 40% of the apps we saw references to staging and development environments. Protection on development servers will be lower and attackers will take get a good look at your product as we all as any debug code that’s knocking around. Make sure to remove any references to staging and dev environments from your app.
How do I stop this?
Remember that your app binary contains all the code you wrote. When it’s the app store you’ve got no idea who’s going to download it and tear it apart. Get the app tested before each release and follow secure coding practices, such as the OWASP Mobile Top 10.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.