Widely used apps on the Google Play Store and Apple App Store had codebases containing hardcoded and unencrypted credentials for various cloud services, reports BleepingComputer.
Android apps Pic Stitch and Meru Cabs, which have more than five million downloads each, had exposed Amazon and Microsoft Azure Blob Storage hardcoded credentials, respectively, an analysis from Symantec revealed. Azure Blob Storage hardcoded credentials were also discovered within the Sulekha Business and ReSound Tinnitus Relief apps, which have more than 500,000 downloads each, and the Saludsa app, which has more than 100,000 downloads. On the other hand, Amazon hardcoded credentials were identified in the iOS apps Crumbl, which has more than 3.9 million ratings, Eureka, which has over 402,100 ratings, and Videoshop - Video Editor, which has over 357,900 ratings. "This dangerous practice means that anyone with access to the app's binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to severe security breaches," said Symantec researchers.
