Hardcoded credentials in Android apps: Service exposure and category-based vulnerability analysis

Mykhaylova, O. та Fedynyshyn, T. та Platonenko, Artem (2024) Hardcoded credentials in Android apps: Service exposure and category-based vulnerability analysis Cybersecurity Providing in Information and Telecommunication Systems II 2024, 3826. с. 206-211. ISSN 1613-0073

[thumbnail of O_Mykhaylova_T_Fedynyshyn_A_Platonenko_CPITS_2024_3826.pdf]

Текст
O_Mykhaylova_T_Fedynyshyn_A_Platonenko_CPITS_2024_3826.pdf
Download (2MB)

Офіційне посилання: https://ceur-ws.org/Vol-3826/

Анотація

This paper presents an extensive study of the security vulnerabilities in Android applications related to the hardcoding of sensitive credentials. A total of 6,165 APK files were downloaded from the Google Play Store and subjected to static analysis using Mobile Security Framework (MobSF). For each application, the “secrets” section, as identified by MobSF, was further examined using Trufflehog to detect and verify the presence of hardcoded credentials. The findings reveal a concerning prevalence of hardcoded credentials, with a significant portion of applications embedding sensitive information such as API keys and authentication tokens. The analysis identified various services for which credentials are frequently hardcoded, including cloud service providers, payment gateways, and third-party APIs. We also categorized the occurrence of hardcoded secrets by app type, analyzing the percentage of applications with exposed credentials across various Google Play categories. This study underscores the critical security risks posed by hardcoding secrets in mobile applications and provides insights into the scope and distribution of this vulnerability within the Android ecosystem. The results emphasize the need for stronger security practices in mobile app development, particularly regarding the secure management of sensitive information, and highlight potential areas of improvement in mobile application security.

Тип елементу :	Стаття
Ключові слова:	android security; mobile security; data privacy; static analysis; improper credentials usage; OWASP Mobile; MobSF; Trufflehog
Типологія:	Статті у базах даних > Scopus
Підрозділи:	Факультет інформаційних технологій та математики > Кафедра інформаційної та кібернетичної безпеки ім. професора Володимира Бурячка
Користувач, що депонує:	Павло Миколайович Складанний
Дата внесення:	06 Груд 2024 08:21
Останні зміни:	06 Груд 2024 08:21
URI:	https://elibrary.kubg.edu.ua/id/eprint/50158

Actions (login required)

Перегляд елементу