Image: Cybernews
A recent investigation conducted by Cybernews has revealed that the majority of applications in the App Store contain hardcoded secret data within their code, including access keys to cloud storage, APIs, and even payment systems. This poses a significant security risk to users, as malicious actors could exploit these vulnerabilities to gain unauthorized access to sensitive information.
An analysis of over 156,000 iOS applications found that, on average, each app contains 5.2 exposed secret keys. Alarmingly, 71% of the analyzed applications exhibited at least one instance of data leakage. While most of these keys have a low sensitivity level, thousands of them could potentially lead to severe data breaches or security compromises.
Arnas Nazarovas, a cybersecurity researcher at Cybernews, highlighted that many iOS developers leave critically sensitive information exposed within application code. This oversight allows attackers to effortlessly obtain users’ private data, including payment details and cloud storage credentials.
Key Findings of the Study:
- 83,000 vulnerable cloud storage endpoints were identified, 836 of which do not require authentication, leading to the exposure of 406 TB of data.
- More than 51,000 Firebase endpoints, with thousands openly accessible to unauthorized parties.
- Thousands of exposed API keys associated with services such as Fabric, Live Branch, and MobApp Creator, which could be leveraged to extract users’ personal data.
- Hundreds of highly sensitive credentials that could be used for processing payments, issuing refunds, retrieving private information, and accessing user messages.
The practice of embedding confidential information—such as API keys and passwords—directly into application source code, known as “hardcoded secrets,” has long been a critical security concern. Both CISA and the FBI have previously warned about the dangers of this approach, as such exposures can lead to account compromises and unauthorized access to critical systems.
Security researchers strongly advise developers to avoid storing sensitive credentials within client-side applications. Instead, they recommend utilizing secure servers or specialized SDKs designed for key management and protection. However, implementing such security improvements may require substantial effort and development time.
As the leading smartphone provider in the U.S., Apple does not currently check for hardcoded secrets during its app review process. The company claims that 90% of application updates are reviewed within 24 hours, though in some cases, the process may take several weeks. As of the study’s publication, Apple had not provided any official response regarding its findings.
To mitigate risks, users are advised to install apps only from verified developers, restrict app permissions, and regularly remove unused applications. These precautions can help reduce the likelihood of data exposure and unauthorized access.
