Sloppy developers are creating security risks by hardcoding in credentials for application programming interface (API) access to popular services in thousands of apps, researchers have found.
Security vendor Fallible scanned around 16,000 apps on Google Play for API keys and secrets to assess how safe they were. It discovered that some 2500 had either the key or secret providing access to a third-party service hardcoded into them.
Fallible said some keys were harmless and necessary, but found another 304 API secrets that should not have been in apps.
Among the services that apps leaked secrets for were Twitter, Uber, Flickr, Wechat, Dropbox, Instagram and Slack.
Ten apps had the secrets to Amazon Web Services hardcoded into them. Some had full administrator privilege on AWS, and could create and delete cloud instances.
In the case of Uber, the secret Fallible found could be used to send bogus in-app notifications via the ride-sharing company's API.
Fallible warned developers to think twice about whether or not they actually needed to hardcode API credentials into their apps. The researchers also advised developers to understand how the API is used, and the scope of the access rights the credentials provide for third-party services.
Third-party service providers should also clearly warn and instruct developers not to put secrets in apps, and create multiple API credentials with different scopes if required to limit security risks, the researchers said.