Thousands of iOS apps found to expose user data

A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.

(Image credit: Brett Jordan / Pexels)

Security researchers from Cybernews found thousands of iOS apps with hardcoded secrets
The secrets could be used in data leakage or wire fraud
The majority of the secrets can be disregarded as low-sensitivity

Researchers have found evidence to suggest thousands of App Store applications have left hardcoded secrets in their code, which has resulted in user's sensitive information being exposed to cybercriminals.

Cybernews researchers analyzed more than 156,000 iOS apps and discovered more than 815,000 hardcoded secrets, thousands of which were “very sensitive and could lead directly to breaches or data leaks.”

A “secret” is a broad term, and includes things like API keys, passwords, or encryption keys. Being “hardcoded” means that the developers add these things directly in the source code. The general consensus is that they do it since it’s convenient in production, and often just forget to remove the secrets once the app goes live.

Cloud info, API keys, Stripe data

The average app's code exposes 5.2 secrets, and 71% of apps leak at least one secret, Cybernews reported.

The majority of these secrets can be disregarded, they explained, since they can’t be used in criminal attacks. However, they found almost 83,000 hardcoded cloud storage endpoints, 836 of which do not require authentication and could leak more than 400TB of data. They also found 51,000 Firebase endpoints, “thousands” of which are open to outsiders, as well as thousands of exposed keys for Fabric API, Live Branch, MobApp Cretor, and others.

The biggest problem, though, were 19 Stripe secret keys, which directly control financial transactions. “Stripe is widely used by e-commerce and even fintech companies to handle online payments,” Cybernews explained.

“Many people believe that iOS apps are more secure and less likely to contain malware. However, our research shows that many apps in the ecosystem contain easily accessible hardcoded credentials. We followed the trail and found open databases with personal data and accessible infrastructure,” said Aras Nazarovas, a security researcher at Cybernews.

“Some iOS developers just make it too easy for hackers.”

We have reached out to Apple for comment and will update this article if we hear back.

Millions of online shoppers could be at risk from hardcoded Shopify tokens
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.