Hundreds of Android apps found leaking API keys, putting users at risk

Hundreds of Android applications being distributed through the Google Play Store have been found leaking Application Programming Interface (API) keys, putting users at risk of identity theft and other threats.

The risks were found by cybersecurity researchers at CloudSEK, who used the company’s BeVigil security search engine to analyze 600 applications on the Play Store.

Overall, the team found half (50%) were leaking API keys of three top transaction and email marketing service providers, putting users at risk of fraud or scams.

MailChimp, SendGrid, MailGun

CloudSEK found the apps were leaking APIs from MailChimp, SendGrid, and Mailgun, allowing potential threat actors to send emails, delete the API keys, and even modify multi-factor authentication (MFA). CloudSEK has since notified the apps’ developers of its findings.

Between them, the apps were downloaded by 54 million people, which are now at risk. Most of the potential victims are located in the United States, with the UK, Spain, Russia, and India, also accounting for a hefty portion. 

“In modern software architecture, APIs integrate new application components into existing architecture. So its security has become imperative,” commented CloudSEK. “Software developers must avoid embedding API keys into their applications and should follow secure coding and deployment practices like standardize review procedures, rotate keys, hide keys and use vault.”

Between the three services, MailChimp is arguably the biggest, and by leaking MailChimp API keys, app developers would allow threat actors to read email conversation, exfiltrate customer data, grab email lists, run email campaigns of their own, and manipulate promotional codes.

Furthermore, hackers could authorize third-party apps connected to a MailChimp account. In total, the researchers identified 319 API keys, with more than a quarter (28%) being valid. Twelve keys allowed for email reading, it was added. 

Leaking MailGun API keys also allows threat actors to send and read emails, but also to get Simple Mail Transfer Protocol (SMTP) credentials, IP addresses, as well as various statistics. Furthermore, they’d be able to exfiltrate customer mailing lists, as well.

SendGrid, on the other hand, is a communication platform that helps companies deliver transactional and marketing emails through a cloud-based email delivery platform. With an API leak, hackers would be able to send emails, create API keys, and control IP addresses used to access accounts.

Via: Infosecurity Magazine

Go to Source