Listen to this Post
A study by Cybernews reveals that more than 110,000 apps on Apple’s App Store contain hardcoded secrets, including API keys, passwords, and other sensitive information. The research highlights significant security risks in mobile app development.
Key Findings:
- Out of 156,000 apps analyzed, 71% contained at least one secret, with an average of 5.2 secrets per app.
- Nearly 83,000 cloud storage server addresses were identified, with 836 being open and requiring no authentication, leading to the exposure of 406TB of data.
- Over 51,000 Firebase addresses were found, some of which were publicly accessible, along with thousands of API keys for services like Fabric, Live Branch, and MobApp Creator. Some of these keys had permissions to process payments and issue refunds.
You Should Know:
To prevent hardcoding secrets in your applications, follow these best practices:
1. Use Environment Variables:
Store sensitive information like API keys in environment variables instead of hardcoding them in your source code.
export API_KEY="your_api_key_here"
2. Secrets Management Tools:
Utilize tools like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault to securely manage and access secrets.
<h1>Example using AWS Secrets Manager</h1> aws secretsmanager get-secret-value --secret-id MySecret
3. Regular Code Scans:
Implement automated tools to scan your codebase for hardcoded secrets. Tools like GitGuardian or TruffleHog can help.
<h1>Install TruffleHog</h1> pip install trufflehog <h1>Run TruffleHog on your repository</h1> trufflehog --regex --entropy=False https://github.com/your-repo.git
4. Secure Firebase Configurations:
Ensure Firebase databases are not publicly accessible. Use Firebase Security Rules to restrict access.
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
5. Implement CI/CD Security Checks:
Integrate security checks into your CI/CD pipeline to catch secrets before they reach production.
<h1>Example GitHub Actions workflow</h1> name: CI/CD Security Check on: [push] jobs: security-scan: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v2 - name: Run TruffleHog run: pip install trufflehog && trufflehog --regex --entropy=False .
What Undercode Say:
Hardcoding secrets in applications is a critical security flaw that can lead to severe data breaches. By adopting secure coding practices, utilizing secrets management tools, and integrating security checks into your development pipeline, you can significantly reduce the risk of exposing sensitive information. Always prioritize security in every stage of your development process to protect your applications and users from potential threats.
For more information on securing your applications, visit Cybernews.
References:
Reported By: Erez Dasa – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
