Image: Bk87 / Shutterstock.com
Summary created by Smart Answers AI
In summary:
- PCWorld reports that over 1 million Android apps exposed 700 TB of sensitive user data through hardcoded API keys and security vulnerabilities.
- Research found 72% of AI apps contained dangerous “secrets” in their code, with 81% linked to Google Cloud projects enabling unauthorized third-party access.
- Users should exercise extreme caution when installing new apps, particularly AI applications that request sensitive financial or personal information.
Towards the end of January, security researchers at Cybernews published a study on AI apps in the Google Play Store. The study revealed that numerous AI apps had inadequate security, leading them to inadvertently leak data from Google’s cloud servers.
The result? A whopping total of 730 million TB of data being exposed, partly through targeted attacks. The leak includes sensitive financial data that could enable hackers to drain digital wallets.
How did this happen?
According to the report, most AI apps in the Google Play Store use an insecure encryption technique called “hardcoding,” which means that sensitive information (such as API keys and passwords) are stored directly in the app’s source code. Apparently, 72 percent of the apps analyzed contained at least one hard-coded “secret” in their code.
Meanwhile, 81 percent of the secrets discovered were related to Google Cloud projects and allowed third parties to access Google services. Some of these could be exploited through automated attacks.
Cybernews
This is a widespread problem that primarily affects newer apps that follow current trends. These apps end up in the Google Play Store without developers having had the opportunity to incorporate adequate security mechanisms. The typical reason for this is time pressure, as apps in the field of AI are developed quickly and rushed to market in order to keep up with the competition.
Apart from that, however, a large amount of data belonging to Facebook clients has also been leaked. In total, the Cybernews research team examined 1.8 million Android apps from the Google Play Store.
What is the risk for users?
This leaked data poses a particular risk when it’s linked to services that process financial, analytical, or customer data. API keys can be used, for example, to act on behalf of users, manipulate accounts, or falsify transaction histories.
You don’t need to worry that your conversations with LLMs like ChatGPT have been leaked. The APIs of these well-known services were largely unaffected, as they weren’t created with hardcoding.
But you do need to be aware that the security of most of these apps haven’t been improved even after leaks were detected. For many, the access points for attacks remain in place.
Here’s what this means for you: Always be careful when installing new apps from the Google Play Store, especially if they require you to disclose sensitive data about yourself. You can never know how well the developers have secured their own code.
At the end of the report, the researchers also state that it’s not only Android apps that are affected by this problem. Apps in the iOS App Store also show the same dangerous trend of secrets being hardcoded into apps. However, the sample size was significantly smaller here, with only 156,000 iOS apps examined (of which around 70 percent also contained at least one hardcoded secret).
This article originally appeared on our sister publication PC-WELT and was translated and localized from German.
Author: Laura Pippig, Staff Writer, PC-WELT
Laura is an enthusiastic gamer as well as a movie and TV fan. After studying communication science, she went straight into a job at PCMagazin and Connect Living. Since then, she has been writing about everything to do with PCs and technology topics, and has been a permanent editor at our German sister site PC-WELT since May 2024.
