- Cybernews security researchers found thousands of iOS applications with coded secrets
- Secrets could be used in data leaks or wire fraud
- Most secrets can be ignored as low sensitivity
Cybernews team researchers have found evidence that suggests that thousands of App Store have left secrets encoded in their code, which has turned out that the user’s confidential information is exposed to cybercriminals.
The researchers analyzed more than 156,000 iOS applications and discovered more than 815,000 coded secrets, thousands of which were “very sensitive and could lead directly to infractions or data leaks.”
A “secret” is a broad term and includes things such as API keys, passwords or encryption keys. Being “encoded” means that developers add these things directly in the source code. The general consensus is that they do it, since it is convenient in production, often only forgets to eliminate the secrets once the application starts.
Information in the cloud, API keys, stripe data
The average application code exposes 5.2 secrets, and 71% of the applications are filtered at least one secret, Cybebnews reported.
They explained that most of these secrets can be ignored, since they cannot be used in criminal attacks. However, they found almost 83,000 final storage points in the coded cloud, 836 of which do not require authentication and could filter more than 400 TB of data. They also found 51,000 final points of Firebase, “thousands” of which they are open to strangers, as well as thousands of keys exposed for fabric API, live branch, Creator Mobapp and others.
However, the biggest problem were Stripe’s secret keys, which directly control financial transactions. “Stripe is widely used by electronic commerce and even Fintech companies to handle online payments,” Cybernews explained, before stating that his team found 19 secret keys of Stripe.
“Many people believe that iOS applications are safer and less likely to contain malware. However, our research shows that many applications in the ecosystem contain easy -to -access credentials. We follow the path and find open databases with personal data and accessible infrastructure, ”said Cybernews security researcher.
“Some iOS developers simply make it too easy for computer pirates.”
We have communicated with Apple to comment and we will update the article when we receive news.
Through Cybernews
