The study aimed at evaluating the state of mobile app security during COVID-19, and looked at the most downloaded and highest-grossing apps across 18 categories in the first quarter of 2021. They found that the majority of the apps analyzed contain open source components with known security vulnerabilities, meaning that the most popular Android apps today have some type of vulnerability. 

The researchers also found that information leakage is commonplace in mobile apps. From the over 3000 Android apps analyzed, the study found several instances of information leakages, among others: 

• 804 Google Cloud Tokens 
• 60 Asymmetric private keys
• 817 Auth0 tokens 
• 65 JSON web tokens
• 26 AWS keys
• 27 568 IP Addresses
• 365 227 URLs

Leaving sensitive information such as passwords, tokens, and keys unprotected and easily retrievable can provide attackers access to servers, systems, or other sensitive properties. This can have damaging consequences, and leakage of sensitive assets can in the worst case result in serious data breaches, fines, and a damaged brand reputation for the targeted company.

Protect your app assets

To prevent information leakage, app providers need proper solutions for securely storing and protecting app assets, both locally on the end-user device and inside a published app. Promon SHIELD™’s features Secure Local Storage (SLS) and Secure Application ROM (SAROM) will help you keep your app assets safe. 

Secure Local Storage (SLS) lets you store app secrets, such as session tokens, personally identifiable information, and API keys, locally on an end-user device in a secure and encrypted manner, even if the device is compromised. Secure Local Storage is a better alternative to Whitebox Crypto Solutions, as implementing a stand-alone solution is complex, time-consuming, and costly. 

Our feature Secure Application ROM (SAROM)  offers a simple-to-use solution to a challenge that is difficult to solve on any mobile platform – protecting specific assets in a published app. SAROM encrypts data in a secure manner to protect fixed app secrets, such as API keys and certificates, from theft. 

Encrypted assets are never statically accessible with SAROM, but rather dynamically decrypted when the app needs an asset. This makes it difficult for attackers to find and retrieve the encrypted secrets and decreases the attack scope dramatically.