RESEARCHERS FIND SEVERAL MOBILE APPS WITH HARDCODED TWILIO CREDENTIALS.

Nov 29, 2017 10:41:23 AM / by Himanshu Dwivedi

On November 8th, 2017, security researchers from Appthority identified 685 iOS and Android Apps that hardcoded their Twilio credentials into their mobile binary. Using this security issue dubbed Eavesdropperthe researcers were able to gain access to all of the App’s private communication via Twilio’s APIs.

shutterstock_171701099-1.jpg

Twilio provides App developers a Rest API and/or SDK for communication services, including calling and messaging. App Developers can access these services using their credentials, which is the Twilio ID and Token/Password. However, developers who did not follow Twilio’s client coding guidelines hardcoded these credentials in their mobile Apps.

By reverse engineering the App binary, the researchers were able to gain access to these credentials and retrieve all user data including – but not limited to – text/SMS messages, call metadata, and voice recordings.

Data Theorem has already included this issue in our "Scan & Secure" engine, and we are in the process of reaching out to any customer who is vulnerable to Eavesdropper.

The recommendation to fix this issue is as follows:

Immediately remove the hardcoded tokens from the App. Twilio provides a feature called Capability Tokens for client-side applications. Capability tokens allow you to add Twilio capabilities to web and mobile applications without exposing the AuthToken in JavaScript or any other client-side environment. The capability token should be created on the server, where the developer can specify what capabilities a mobile app should have. All tokens have a limited lifetime to protect from abuse. The lifetime is configurable up to 24 hours, but it should be made it as short as possible. More details on Capability Tokens can be found here.

Monitor Your Apps  LEARN MORE 

Topics: privacy, security

Himanshu Dwivedi

Written by Himanshu Dwivedi

CEO of Data Theorem, Inc.