BACKGROUND:
CloudSEK’s security search engine group, BeVigil is reporting Widespread Exposure of API Keys Imperils the Mobile App Ecosystem. They discuss the dangers of apps with API keys that are, pointing out that “hardcoded API keys are akin to locking your house but leaving the key in an envelope titled “do not open.”
In an investigation of 13,000 apps recently uploaded to BeVigil for security review, 250 of them used the Razorpay API to enable financial transactions. Ten of these apps (~5%) were found to be exposing their payment integration key ID and key secret. If this finding holds true across the approx. 8 million apps currently using Razorpay, then the number of apps exposing their API keys could be as high as 400,000. The white paper points out “This discovery comes on the heels of a similar finding that 100 million users’ data is impacted because 0.5% of mobile apps expose their internal AWS keys. This highlights a pattern of systemic mishandling of API keys among app developers.“
<p>APIs are great ways of using specialized third-party services while focusing on core business strategies. They are also great ways of gaining illicit entrance into these services by attackers. APIs typically require a key provided by the application that permits the use of defined levels of services. It turns out that many applications hard code these keys into their source code. Any attacker who gains control over the application can also make use of the third-party service.</p>
<p>It goes without saying that API keys shouldn’t be embedded into the application itself. That’s like hard-coding the database system administrator password into a web application. But this also highlights the fact that third-party services have to monitor the use of their services to make sure the use is legitimate. Services that fail to do so are risking attack by their customers’ applications themselves.</p>