BACKGROUND:
CloudSEK’s security search engine group, BeVigil is reporting Widespread Exposure of API Keys Imperils the Mobile App Ecosystem. They discuss the dangers of apps with API keys that are, pointing out that “hardcoded API keys are akin to locking your house but leaving the key in an envelope titled “do not open.”
In an investigation of 13,000 apps recently uploaded to BeVigil for security review, 250 of them used the Razorpay API to enable financial transactions. Ten of these apps (~5%) were found to be exposing their payment integration key ID and key secret. If this finding holds true across the approx. 8 million apps currently using Razorpay, then the number of apps exposing their API keys could be as high as 400,000. The white paper points out “This discovery comes on the heels of a similar finding that 100 million users’ data is impacted because 0.5% of mobile apps expose their internal AWS keys. This highlights a pattern of systemic mishandling of API keys among app developers.“
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.