November 10, 2017
Security researchers have discovered that tens of developers have left API credentials in hundreds of applications built around the Twilio service.
Researchers say that attackers can extract these credentials from the source code of vulnerable apps and gain access to conversations and SMS messages sent by that app — and its users — via Twilio, a cloud platform that allows third-party apps to make and receive phone calls and SMS messages via programmatic APIs to various telephony providers.
This slew of apps with hardcoded Twilio API credentials was discovered in April this year by the Appthority Mobile Threat Team (MTT), who informed Twilio of the problem in July.
Twilio has since been notifying app developers and working with them to revoke access for the exposed API keys.
Researchers find 685 apps with hardcoded Twilio credentials
Appthority has been keeping tabs of this problem under the codename of Eavesdropper, due to the highly sensitive data these applications contain.
"We found the Eavesdropper vulnerability on over 685 enterprise apps (44% Android, 56% iOS) associated with 85 Twilio developer accounts," the Appthority team said in a report published today.
"As of the end of August 2017, 75 of these apps were available on Google Play, and 102 were on the App Store," the research team added. "The affected Android apps had been downloaded up to 180 million times."
Affected apps leak hundreds of millions of call, text messages
Based on their findings, researchers say the scope is in the realm of "hundreds of millions of call records, minutes of calls and audio recordings, and text messages."
Appthority says that around a third of all affected apps are enterprise related, potentially granting attackers access to highly precious financial and business phone calls and SMS alerts.
But the problem is not limited to business apps alone. For example, the Appthority team said they found Twilio credentials in an app used for secure communications by a federal law enforcement agency, and navigation apps for customers such as AT&T and US Cellular.
App developers solely to blame
The cause of the Eavesdropper issue is careless developers. We've seen many cases in the past where developers leave API and server credentials inside an app's source code, instead of storing them in a secure, remote database.
The same Appthority report on the Eavesdropper vulnerability also points out that researchers found similar credentials for Amazon S3 servers.
A Fallible study published earlier this year found that 2,500 of 16,000 Android apps had some type of credentials inside them, usually for services like Twitter, Dropbox, Instagram, Slack, Flickr, or Amazon Web Services (AWS).
Another Appthority report published in May this year found that over 21,000 Elasticsearch servers used as backends by around 1,000 mobile apps were left unsecured and were exposing 43 TB of user and company data.