Are your secrets safe - How mobile applications are leaking millions of credentials

Presented at BSidesLV 2023, Aug. 8, 2023, 2 p.m. (45 minutes).

Secrets like API keys, security certificates, and other credentials are the crown jewels of our applications. They give access to our most sensitive information and systems like databases, cloud infrastructure, and third-party services. Despite being highly sensitive, these secrets are being leaked in our source code and compiled mobile applications. Research shows that after reverse engineering 50,000 android apps hosted on the PlayStore, nearly 50% contained plain text credentials. We review this research to show the most common types of secrets found, where they were found, and the industries they appear within. But how exactly do secrets end up in applications? To answer this we explore research from GitGuardian which every year scans every single public contribution to GitHub (over 1 billion commits) for secrets. The 2023 report showed 10 million credentials leaked publicly on GitHub. Here we break apart mobile applications' public code and see exactly how secrets leak through code history. We explore the connection between the two research projects (from code to applications) and reveal how many mobile applications are leaking secrets and of course how to keep your secrets secure.

Presenters:

  • Mackenzie Jackson
    Mackenzie is a developer advocate with a passion for DevOps and code security. As the co-founder and former CTO of a health tech startup, he learnt first-hand how critical it is to build secure applications with robust developer operations. Today as a Developer Advocate at GitGuardian, Mackenzie is able to share his passion for code security with developers and works closely with research teams to show how malicious actors discover and exploit vulnerabilities in code.

Links:

Similar Presentations: