Presentation Material
AI Generated Summary
This research investigates the widespread leakage of hard-coded API keys and secrets within mobile applications, based on data from a million scanned apps. The primary focus was on Twitter API credentials, though the methodology identified keys for numerous services including AWS, Firebase, and payment processors.
Key findings revealed nearly 10,000 apps contained hard-coded AWS API keys and over 89,000 apps leaked Twitter consumer keys. Through static analysis, the researchers identified 230 applications that exposed all four required Twitter user authentication credentials (consumer key, consumer secret, access token, access token secret). This allowed full account compromise, enabling actions such as reading direct messages, posting tweets, deleting content, and modifying account settings. Even leaks of only the consumer key and secret posed risks for apps using Twitter’s premium/enterprise APIs, as they could enumerate deployed webhooks.
The research utilized a custom security search engine, Be Visual, which automates app collection, decompilation (using tools like APKTool), and regex-based pattern matching against a signature database of over 300 service-specific key formats. A critical observation was that many developers use non-standard variable names for keys, requiring broader keyword searches beyond predefined signatures.
Practical implications are severe: leaked credentials provide direct access to backend infrastructure and social media accounts. Remediation requires a multi-step process: implementing mandatory source code reviews and automated secret scanning in