Master Hack

Is Your Mobile App Leaking Secrets?

29

In Why Exposed API Keys and Sensitive Data are Growing Cause for Concern, Janet Wagner points out that the exposure of sensitive data through code is a growing cause of concern as developers rely more and more on the cloud for the overall workflow during development and deployment of their applications and in accessing third-part services at run-time from within.

Here are some examples of places where exposure of API Keys, tokens, passwords, cloud credentials, and other secrets have been found:

  • In code that is committed on GitHub, Gitlab, and other online repositories of code
  • At CI pipelines and automation tools on the cloud
  • When copy pasting code to places like Stack Overflow, Forums, Issue trackers, etc.

The simplest approach to check for secrets in our code is to perform a search in your editor of choice or using a simple command in the Shell to look for common string names used to reference them. The problem with this approach is that we need to remember all the string names in our code, which reference secrets, making it not an effective way to ensure our code is free of sensitive information that we do not want to be leaked.

Open source is often our best friend, and this time is not an exception. A quick search for better alternatives may lead us to a tool like the truffleHog package in GitHub, which scans all git commits in a repository for any secrets that may exist within them by using entropy or regex patterns.

Let’s use a docker container to run TruffleHog against the Approov ShipFast Code with the following commands:


$ sudo docker run --rm -it python bash
[email protected]:/# pip install truffleHog
[email protected]:/# git clone https://github.com/approov/shipfast-api-protection.git
[email protected]:/# truffleHog shipfast-api-protection

And we will be presented with a very long output where we can find API Keys being leaked, like in this partial screenshot:

Tech & Security – API Leaks

Now, let’s try to run it again, but this time, we will do it against the public URL for our Approov ShipFast Demo in GitHub, with the commands:

$ sudo docker run --rm -it python bash
[email protected]:/# pip install truffleHog
[email protected]:/# truffleHog https://github.com/approov/shipfast-api-protection.git

And once more, we will have a very long output where we can find another example of the API Key being leaked:

Ah, but wait! Do you think that you are safe because you have removed your sensitive data immediately after you have committed it?

Well, I have bad news for you. It seems that some services cache all GitHub commits, thus hackers can check these services or employ the same techniques to immediately scan any commit sent to GitHub in a matter of seconds.

Hackers can, for example, use exposed cloud credentials to spin up servers for Bitcoin mining, for launching DDOS attacks, etc., and you will be the one paying the bill in the end as in the famous “My $2375 Amazon EC2 Mistake” that can be found in Reddit or here.

Oh, and did I mention already that in the case of mobile apps, their binaries may be reverse-engineered with tools like the Mobile Security Framework despite some techniques you may have employed to protect the secrets in your mobile app at run-time or to hide them from being reverse engineered from your binary?

For a demo on how several techniques can be employed to secure secrets in your mobile app and, at the same time, how they can be bypassed or reverse engineered, you may want to go through the ShipFast App Demo. This demo will show you how API Keys, HMAC, OAUTH2, and other techniques can be bypassed in order to tamper your App or retrieve secrets that will allow unauthorized access to the API server or any third part services directly accessed by the app. Check this series of articles for more detailed info around API abuse.

Now that you are aware of the dangers of leaking API Keys and other secrets, it is time to start removing them from your code and improve the security of your mobile app and API sever by going through this mobile api security techniques.

As a final note, I would recomemnd that, as a developer, you strive to continuosly test the security of your code by following the recomaendations in the OWASP Mobile Security Testing Guide.

Lovepreet Singh
CEO & FOUNDER OF" FIVE RIVERS INCORPORATION - LEADING SOFTWARE & CYBER SECURITY DEVELOPMENT COMPANY" || CERTIFIED ETHICAL HACKER || FUTURE TRILLIONAIRE || FUTURISTIC || "DULL SCHOOL STUDENT" || (Follow this link to message me on WhatsApp: https://wa.me/13018426470)

Computer Networking: What is the difference between broadcast and flooding?

Previous article

Build a Serverless API in Seconds with Go

Next article

You may also like

29 Comments

  1. You really make it seem so easy with your presentation but I find this topic to be actually something that I think I would never understand.
    It seems too complex and very broad for me. I am looking forward
    for your next post, I will try to get the hang of it!

  2. Cialis Online Bologna Lioresal Commander 10mg [url=http://corzide.com]viagra[/url] Achat Levitra Generique Priligy Approved By Fda

  3. Achat Amoxicillin Pharmacie Vente Achat Baclofen Acheter 10mg Canadian Pharmacy 24h Order Confirm Php [url=http://cheapviapill.com]viagra[/url] Amoxicillin For Canines Side Effects Propecia Infertilidad

  4. Cephalexin Shelf Life Propecia Pagina Oficial Clomid Et Pas De Regles [url=http://cialgeneric.com]generic cialis canada[/url] Viagra Andorra Precio order accutane online uk

  5. I was recommended this website by my cousin. I am no
    longer sure whether or not this submit is written by him as nobody else recognise such
    exact about my trouble. You’re incredible! Thanks!

  6. Wow! At last I got a website from where I can in fact obtain valuable information concerning my study and knowledge.

  7. Idrocele Propecia Northwestern Pharmacy Canada [url=http://genericcial.com]generic cialis[/url] Want To Buy Dutasteride Cialis Y La Disfuncion Erectil Propecia Pharmacie En Ligne

  8. Hello everybody, here every one is sharing such know-how, so
    it’s pleasant to read this web site, and I used to pay a visit this web site every day.

  9. Heya i am for the primary time here. I found this
    board and I find It truly helpful & it helped me out much.
    I’m hoping to present one thing back and help others like you helped me.

  10. Wow! In the end I got a webpage from where I be able to in fact obtain helpful facts regarding my study and knowledge.

  11. Heya are using WordPress for your blog platform? I’m new to
    the blog world but I’m trying to get started and set up my own. Do you
    need any coding knowledge to make your own blog? Any help would be greatly appreciated!

  12. What’s up i am kavin, its my first occasion to commenting anywhere, when i read this piece of writing i thought i could also
    make comment due to this sensible paragraph.

  13. Hi i am kavin, its my first occasion to commenting anyplace, when i read this article i thought i could also make
    comment due to this sensible paragraph.

  14. Pretty nice post. I just stumbled upon your blog and wished
    to say that I’ve truly enjoyed surfing around your blog posts.
    After all I’ll be subscribing for your feed
    and I am hoping you write once more very soon!

  15. I enjoy what you guys are up too. This kind of clever work
    and reporting! Keep up the very good works guys I’ve added you guys to
    blogroll.

  16. … [Trackback]

    […] Here you can find 53126 additional Info to that Topic: techandsecurity.net/is-your-mobile-app-leaking-secrets.html […]

  17. This is a topic that is near to my heart… Cheers! Where are your contact
    details though?

  18. I want to to thank you for this excellent read!!
    I certainly loved every bit of it. I have got you bookmarked to look at new stuff
    you post…

  19. When someone writes an piece of writing he/she retains the image
    of a user in his/her mind that how a user can know it.
    Therefore that’s why this article is perfect.
    Thanks!

  20. It’s going to be end of mine day, but before end I am
    reading this impressive article to improve my experience.

  21. Saved as a favorite, I love your web site!

  22. I’m not sure exactly why but this web site is
    loading incredibly slow for me. Is anyone else having this issue or is it a problem on my end?
    I’ll check back later and see if the problem still exists.

  23. When someone writes an post he/she maintains the thought
    of a user in his/her brain that how a user can understand it.

    Therefore that’s why this post is great. Thanks!

  24. You can certainly see your enthusiasm within the article you write.

    The sector hopes for more passionate writers like you who
    aren’t afraid to mention how they believe. All the time follow your
    heart.

  25. Thanks a bunch for sharing this with all folks you really realize what
    you are speaking about! Bookmarked. Kindly additionally
    seek advice from my site =). We may have a hyperlink alternate agreement between us

  26. Greate pieces. Keep writing such kind of information on your page.
    Im really impressed by it.
    Hi there, You have done an excellent job. I’ll certainly digg it and individually suggest to my friends.
    I am sure they will be benefited from this website.

  27. Thanks for finally talking about >Is Your Mobile App
    Leaking Secrets? – Tech and Security <Liked it!

  28. Quel Site Acheter Cialis Acquistare Caen Kamagra [url=http://4rxday.com]cialis without a doctor’s prescription[/url] Baclofen En Ligne 10mg Berodual Without Prescription

  29. … [Trackback]

    […] Info on that Topic: techandsecurity.net/is-your-mobile-app-leaking-secrets.html […]

Leave a reply

Your email address will not be published. Required fields are marked *

More in Master Hack