On November 8th, 2017, security researchers from Appthority identified 685 iOS and Android Apps that hardcoded their Twilio credentials into their mobile binary. Using this security issue dubbed Eavesdropper, the researcers were able to gain access to all of the App’s private communication via Twilio’s APIs.
Twilio provides App developers a Rest API and/or SDK for communication services, including calling and messaging. App Developers can access these services using their credentials, which is the Twilio ID and Token/Password. However, developers who did not follow Twilio’s client coding guidelines hardcoded these credentials in their mobile Apps.
By reverse engineering the App binary, the researchers were able to gain access to these credentials and retrieve all user data including – but not limited to – text/SMS messages, call metadata, and voice recordings.
Data Theorem has already included this issue in our "Scan & Secure" engine, and we are in the process of reaching out to any customer who is vulnerable to Eavesdropper.
The recommendation to fix this issue is as follows: