Symantec, a division of Broadcom, uncovered that many widely-used Android and iOS applications contain hardcoded and unencrypted cloud service credentials, exposing user data and app source codes to potential unauthorized access, data manipulation, and data theft.

Symantec's recent analysis showed that developers of popular apps have hardcoded authentication keys for cloud services like Amazon Web Services (AWS) and Microsoft Azure Blob Storage into their applications.

“This dangerous practice means that anyone with access to the app's binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to severe security breaches,” the researchers warn.

Among affected Android apps (via Google Play) several apps were found to contain Microsoft Azure Blob Storage hardcoded credentials (Meru Cabs, Sulekha Business, ReSound Tinnitus Relief, Beltone Tinnitus Calmer, Saludsa, and Chola MS Break In), some of the analysed apps contained Amazon Web Services hardcoded credentials (Pic Stitch) and Twilio hardcoded credentials (EatSleepRIDE Motorcycle GPS).

The most of the impacted iOS apps (via Apple's App Store) were found to contain Amazon Web Services hardcoded credentials (Crumbl,Eureka: Earn money for surveys, Videoshop – Video Editor, Solitaire Clash: Win Real Cash, and Zap Surveys: Earn Easy Money).

To mitigate risks related to managing sensitive information, developers should adopt the following best practices such as using environment variables, implementing secrets management, encrypting sensitive data, code reviews and audits, and automate security scanning.