Arshit Jain and Sai Ahladini Tripathy report some findings concerning the risk of unauthorized access to API keys enabling acquisition of sensitive or critical data. A recent investigation by CloudSEK found that a range of companies have mobile apps with API keys that are hardcoded in the app packages.
“These keys could be easily discovered by malicious hackers or competitors who could use them to compromise user data and networks,” the researchers report, noting how some recent high-profile attacks such as the Imperva breach have leveraged this misconfiguration to compromise cloud infrastructure.
“… hardcoded API keys are akin to locking your house but leaving the key in an envelope titled ‘do not open,’ they write.
During our investigation, we found that out of the 13,000 apps currently uploaded to BeVigil, ~250 apps used the Razorpay API to enable financial transactions. And ~5% of these apps, i.e. 10 apps were found to be exposing their payment integration key ID and key secret. However, given that a purported 8 million businesses transact on Razorpay, the actual number of apps exposing API keys could be higher.
The researchers were quick to note that this was not a flaw in Razorpay or other such services — but it is evidence of how API keys are being mishandled by app developers and posing a risk to consumers and users.
Read more on BeVigil.