- Cybernews safety researchers have found thousands of iOS applications with hard coded secrets
- Secrets could be used in data leakage or wire fraud
- The majority of secrets can be ignored as a low sensitivity
Cybernews team researchers have found evidence suggesting that thousands of App Store applications have left hard -coded secrets in their code, which has led to exposure of sensitive user -user information to cybercriminals.
The researchers analyzed more than 156,000 iOS applications and discovered more than 815,000 secrets coded secrets, of which thousands were “very sensitive and could directly cause violations or data leaks”.
A “secret” is a wide term and includes things like API keys, passwords or encryption keys. Being “coded in hard” means that developers add these things directly to the source code. The general consensus is that they do it because it is practical in production, and often forgets to remove the secrets once the application is put online.
Cloud information, API keys, scratch data
The average application code exposes 5.2 secrets and 71% of applications fuver at least one secret, Cybernews reported.
The majority of these secrets can be ignored, they explained because they cannot be used in criminal attacks. However, they have found nearly 83,000 points for storage of hard coded clouds, 836 of which do not require authentication and could flee more than 400 TB of data. They also found 51,000 Firebase ending points, of which “thousands” are open to foreigners, as well as thousands of keys exposed for fabric API, live branch, Crétor Mobapp and others.
The biggest problem, however, was the secret keys to Stripe, which directly control financial transactions. “Stripe is widely used by electronic commerce and even fintech companies to manage online payments,” said Cybernews, before declaring that his team found 19 secret keys Stripe.
“Many people believe that iOS applications are more secure and less likely to contain malware. However, our research shows that many ecosystem applications contain easily accessible coded references. We followed the track and found open databases with personal data and an accessible infrastructure, “said Aras Nazarovas, security researcher at Cybernews.
“Some iOS developers make things too easy for hackers.”
We contacted Apple to comment and update the article when we hear.
Via Cyberness
