Mobile Apps are leaking your API Keys: Discover how to prevent it

API keys that are hardcoded and embedded in mobile apps can be discovered and exposed easily.

A recent BeVigil study of mobile apps found out that around 0.5% of mobile apps leak API keys (focus of the study: AWS keys). This low percentage figure does not sound too much but the study makes us reasonably believe that more than 100 million users globally could be potentially affected as even popular apps with more than 10M and even 100M installs are among the analyzed mobile apps tested positive for API key leakage.

The use of APIs for accessing and integrating external services is very common these days, and on a very positive note they clearly drive innovation and digitization in many areas. APIs called from within mobile app and the API keys to access the underlying services are used by countless industry verticals and single developers.

The dangers of API key leakage

API keys that are hardcoded and embedded in mobile apps can be discovered and exposed easily. They suddenly become a risk for its users: they can be misused or sold by the malicious hacker or even a competitor in order to gain a business advantage.

In this case API keys are putting the enterprise, its data centers, its internal network, and of course their customer at high risk of becoming a victim of a cyberattack. The API key disclosure often enough results in data breaches, privacy violations and reputational damages. It means a “simple” technical risk has turned into a high risk for business. It is not without reason that cyber risk is in first place in the 2020 Allianz Risk Barometer (2020). Past years API key leakages cases already affected well-known companies like Accenture, Verizon and Uber.

T.A.K protects API keys embedded in mobile apps.

Build38 provides the developer with various means to protect app data, certificates, API keys etc. at rest (means when the data is securely stored on the device) and in motion (means when app data is transferred from the app to the corresponding service backend).

Build38’s Trusted Application Kit (T.A.K) allows developers to protect API keys with its “File Protector” functionality already during development. This allows developers to pass API keys in an encrypted way along with the app and to publish the app in app stores. Only during runtime then, the API keys will be decrypted (of course, the decryption key is well protected, too) on the fly for use in API calls. Additionally, the app is protected by checks of the runtime environment, application self-protection measures, checks for the use of hacking frameworks etc.

All in all, Build38 ensures that the app is fully protected, running in a secure environment, ensuring its data is safe and its app users can be rest assured.