Hundreds of Android apps found leaking API keys, putting users at risk
Threat actors could use leaked APIs to send fraudulent emails
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Hundreds of Android applications being distributed through theGoogle Play Storehave been found leaking Application Programming Interface (API) keys, putting users at risk ofidentity theftand other threats.
The risks were found by cybersecurity researchers at CloudSEK, who used the company’s BeVigil security search engine to analyze 600 applications on the Play Store.
Overall, the team found half (50%) were leaking API keys of three top transaction andemail marketingservice providers, putting users at risk of fraud or scams.
MailChimp, SendGrid, MailGun
CloudSEK found the apps were leaking APIs from MailChimp, SendGrid, and Mailgun, allowing potential threat actors to send emails, delete the API keys, and even modify multi-factor authentication (MFA). CloudSEK has since notified the apps’ developers of its findings.
Between them, the apps were downloaded by 54 million people, which are now at risk. Most of the potential victims are located in the United States, with the UK, Spain, Russia, and India, also accounting for a hefty portion.
“In modern software architecture, APIs integrate new application components into existing architecture. So its security has become imperative,” commented CloudSEK. “Software developers must avoid embedding API keys into their applications and should follow secure coding and deployment practices like standardize review procedures, rotate keys, hide keys and use vault.”
Remove viruses and ransomware with the best malware protection services around>AWS APIs can be abused to leak information>These popular mobile apps are leaking some very valuable information
Between the three services, MailChimp is arguably the biggest, and by leaking MailChimp API keys, app developers would allow threat actors to read email conversation, exfiltrate customer data, grab email lists, runemailcampaigns of their own, and manipulate promotional codes.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Furthermore, hackers could authorize third-party apps connected to a MailChimp account. In total, the researchers identified 319 API keys, with more than a quarter (28%) being valid. Twelve keys allowed for email reading, it was added.
Leaking MailGun API keys also allows threat actors to send and read emails, but also to get Simple Mail Transfer Protocol (SMTP) credentials, IP addresses, as well as various statistics. Furthermore, they’d be able to exfiltrate customer mailing lists, as well.
SendGrid, on the other hand, is a communication platform that helps companies deliver transactional and marketing emails through a cloud-based email delivery platform. With an API leak, hackers would be able to send emails, create API keys, and control IP addresses used to access accounts.
Via:Infosecurity Magazine
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
TP-Link Archer BE3600 Wi-Fi 7 Router review
Ulefone Armor Pad 3 Pro rugged tablet review
NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)
