Are your secrets secure - How mobile apps are leaking millions of credentials - Mackenzie Jackson
This session was given at Paris Android Makers by droidcon 2023 by Mackenzie Jackson.
More info: https://androidmakers.droidcon.com/
Secrets like API keys, security certificates and other credentials are the crown jewels of our applications. They give access to our most sensitive information and systems like databases, cloud infrastructure and third-party services. Despite being highly sensitive, these secrets are being leaked in our source code and compiled mobile applications.
Throughout the presentation, we will analyze two in-depth research projects to show how mobile applications and specifically android applications are leaking secrets. The presentation will be broken into three sections:
*Part 1 - How attackers find and exploit secrets*
We break down a collection of real-life breaches where hackers discovered and exploited credentials to gain unlawful access to different services. How the credentials were discovered, how they were exploited, and what the attackers were able to access / control.
*Part 2 - Secrets in source code*
GitGuardian's 2022 State of Secrets Sprawl report showed more than 6 million secrets were leaked publicly through source code in 2021 on GitHub.com. This number increased again in the (yet to be released) 2023 State of Secrets Sprawl Report. We will focus specifically on how many secrets were discovered inside android projects including the total number of secrets found, common secrets discovered, and common files containing plain text secrets.
*Part 3 - Secrets on the play store*
The third section will review research into how many mobile applications on the Google Play Store are leaking secrets. The research reviews nearly 50,000 apk files which were downloaded from the Play Store and decompiled to reveal how many contained secrets. We show the overwhelming percentage of apps that contained plain text secrets and the types of secrets commonly found.
Together these sections show that attackers are actively trying to find and exploit secrets in our applications and reveal two predominant ways they are getting leaked in public places. The presentation will finish with actionable steps developers can take to prevent secrets from leaking.
Watch video Are your secrets secure - How mobile apps are leaking millions of credentials - Mackenzie Jackson online without registration, duration hours minute second in high quality. This video was added by user Android Makers 17 June 2023, don't forget to share it with your friends and acquaintances, it has been viewed on our site 242 once and liked it 9 people.