SoylentNews is people
SoylentNews
Many developers still embed sensitive access tokens and API keys into their mobile applications, putting data and other assets stored on various third-party services at risk.
A new study performed by cybersecurity firm Fallible on 16,000 Android applications revealed that about 2,500 had some type of secret credential hard-coded into them. The apps were scanned with an online tool released by the company in November.
Hard-coding access keys for third-party services into apps can be justified when the access they provide is limited in scope. However, in some cases, developers include keys that unlock access to sensitive data or systems that can be abused.
This was the case for 304 apps found by Fallible that contained access tokens and API keys for services like Twitter, Dropbox, Flickr, Instagram, Slack, or Amazon Web Services (AWS).
Three hundred apps out of 16,000 might not seem like a lot, but, depending on its type and the privileges associated with it, a single leaked credential can lead to a massive data breach.
Slack tokens, for example, can provide access to chat logs used by development teams, and these can contain additional credentials for databases, continuous integration platforms, and other internal services, not to mention shared files and documents.
Last year, researchers from website security firm Detectify found more than 1,500 Slack access tokens that had been hard-coded into open source projects hosted on GitHub.
[...] This is not the first time when API keys, access tokens, and other secret credentials were found inside mobile apps. In 2015, researchers from Technical University in Darmstadt, Germany, uncovered more than 1,000 access credentials for Backend-as-a-Service (BaaS) frameworks stored inside Android and iOS applications. Those credentials unlocked access to more than 18.5 million database records containing 56 million data items that app developers stored on BaaS providers like Facebook-owned Parse, CloudMine, or AWS.
[Continues...]
Some 2500 apps contained either secrets or third party keys, with most such as those found in Uber's app being safe and necessary for the platforms to function on Google play or with other services.
Others contained Amazon Web Services keys that granted extensive access to accounts.
"Some keys are harmless and are required to be there in the app for example Google's API key but there were lots of API secrets as well which definitely shouldn't have been in the apps," researchers at the company say.
"Then there were AWS secrets too hardcoded in the apps. Some of them had full privilege of creating and deleting instances."
Twitter keys were the most common to be found in the studied apps, along with Urban Airship and a scattering of other services.
"For app developers reading this, whenever you hardcode any API key or token into your app, think hard if you really need to hardcode this, [and] understand the API usage and the read and write scope of the tokens," Fallible researchers say.
-- submitted from IRC
(Score: 2) by Pino P on Thursday January 19 2017, @10:03PM
And as my hobby grew, my business paid for the hosting as well
By "my business", do you refer to a business that you own, or just a business that employs you?
Third party ads were never once included in the equation. Why is it included today? Is it because developers can't host their own websites anymore because of the "???" in the 4 steps to profit? Paypal and ebay make for great payment processors, provided one is OK with either handling their money.
Unless your articles are expensive as those of closed-access scholarly journals published by Elsevier or Springer, paying per article doesn't work when PayPal and other payment processors skim off a substantial fee per transaction (currently 0.30 USD) in addition to a 3 percent cut. Nor does a monthly subscription work for people who arrive at your site through a search engine result or an article URL shared by one of your readers. Most readers would click the back button instead of creating an account, waiting for the confirmation email to arrive, and paying $4 for a month's access just to read one article, especially if there are 20 different sites to which they'd need to subscribe to read 20 different articles.
Is it that they rely on an app store to reach people, and the app store has to only have applications with adverstiving networks and wrappers embedded into what is otherwise a program entirely unrelated to it?
Here's how I've heard it: It's because smartphone manufacturers and carriers began to sell Android devices in countries where Google had not yet begun to offer Google Checkout. In those countries, Android Market (now Google Play Store) listed only free (as in beer) applications. Therefore, to reach users in those countries, developers had to make their Android applications available without charge. This expectation that applications shall be ad-supported rather than paid up front eventually leaked to the rest of the world, even countries where Google was offering paid applications.
And this is all because new programmers were never taught how to do these other parts of running a business
Correct. Universities aren't trade schools, despite persistent efforts to pass them off as such, and many undergraduate engineering curricula don't include self-employment as a required or even strongly recommended course.