Some Android app APIs have been putting users at risk
Rather worryingly, an analysis of 600 Android apps, which are available on the Google Play Store has found that around 50% of all the apps examined were leaking the API keys of three of the most popular email marketing service apps.
An API or application programming interface is what allows apps and services to better integrate their work with third-party sites and services so that they can work seamlessly together with all the work going on in the background. Unfortunately, here, the types of apps that are leaking are some of the worst you could imagine for this type of breach to occur with. They are the types of apps that online companies and services use to collect customer contact details and manage outbound marketing campaigns meaning there is a lot of vulnerable data flowing through the API keys.
The analysis by contextual AI cybersecurity specialists CloudSEK used the company’s BeVigil security search engine to investigate the 600 Google Play Store apps. It found that Mailchimp, Sendgrid, and Mailgun API keys were being leaked by roughly half of all the apps, allowing sensitive data to pass to malicious third parties that could see user security compromised and place them more at risk of being targeted by online scammers.
To drive home the seriousness of the issue, the affected apps have already been downloaded 54 million, with each of them now at risk of having any and all details leaked via the API keys. According to CloudSek, the breach could enable malicious actors to read emails, steal customer data, access email lists, and even run email marketing campaigns as representatives of the compromised businesses. This last one means that users who are exposed in this way will be particularly vulnerable to sophisticated phishing campaigns that would be incredibly difficult to spot.
It is shocking, to say the least, that such a huge number of vulnerable apps have made it onto the Google Play Store and that prominent services are seeing their APIs so easily breached in this manner. As ever, with phishing scams on the rise these days, we will point you to this helpful infographic for spotting scam emails and phishing scams, which is full of tips to help you stay safe from these popular types of scams.
Why would you be shocked that these devices are doing exactly what they are designed to do?
Patrick, your article says ” some aps” but its 54 million aps or around 50% of all the apps and that is a bit more than some! :-)
To be fair, they checked 600 apps and 50% of those were leaking. That’s a pretty small subset of 54 million, but you’re probably right that most of them are leaking.
Is there a list/way to check one’s apps?
Is a list of all the affected apps available online? If so, would some kind person post it here? Thanks.
com.android.chrome
com.android.vending
I have glossed over this article but what I can say is that if you are able to remove and patch analytics that would be a good start. If you don’t know how I guess you could use things like Lucky Patcher.
It doesn’t matter if you pay for the app or not there is always a ton of “analytics” and “Telemetry” attached to these apps. There is no accountability or policing which is basically the same as the Chrome Webstore. Atrocious!
I tend to disable certain services (such as AppMeasurement, things with Analytics in their name) within apps using MyAndroidTools (1.6.0, it’s an old version but working fine for me on Android 11)