Analysis of 600 apps on the Google Play store by CloudSEK’s BeVigil security search engine found that 50% were leaking application programming interface (API) keys of three popular transactional and marketing email service providers.
The providers included Mailgun, MailChimp and SendGrid. CloudSEK has notified all involved entities and affected apps about the hardcoded API keys.
The leaked API keys allow threat actors to perform a variety of unauthorized actions such as sending emails, deleting API keys, and modifying two-factor authentication (2FA).
An API is a piece of software that allows applications to communicate with each other without any human intervention. An API key is a special identification used by users, developers or calling programs to authenticate themselves to an API.
CloudSEK said that an overall examination of all three providers' data revealed that the USA was the country with the highest number of downloads followed by the UK, Spain, Russia and India, leaving over 54 million mobile app users vulnerable.
In a breakdown of the research, CloudSEK noted how attackers could potentially exploit leaked API keys and said that it is advisable to keep API keys private.
MailGun provides email API services, enabling brands to send, validate and receive emails through their domain at scale. The research noted that in this case, an API key leak could allow threat actors to send and read emails, get Simple Mail Transfer Protocol (SMTP) credentials, IP addresses and statistics, as well as retrieve mailing lists of customers in order to launch phishing campaigns.
CloudSEK said that 35% of the analyzed packages contained a valid Mailgun key embedded in their android code and 132 domains were configured with the valid keys.
MailChimp is a transactional email service first introduced in 2001 and later launched as a paid service with an additional freemium option in 2009. An API key leak in this case would allow threat actors to read conversations, fetch customer information, expose email lists of multiple campaigns containing PII, start fake email campaigns and manipulate promotional codes. The research also noted that threat actors could authorize third party applications connected to a MailChimp account.
The report highlighted that of a total of 319 identified API keys, 28% were found to be valid and of those, 12 keys allowed read email access.
Finally, SendGrid is a communication platform intended for transactional and marketing emails. It provides cloud-based services to assist businesses with shipping notifications, friend requests, sign-up confirmations, email newsletters, etc.
An API lead would allow a threat actor to send emails, create API keys and control IP addresses used to access accounts, according to CloudSEK.
The research found that of 319 API keys, 128 were found to be valid and of those, 121 could allow threat actors to send emails using SendGrid, 65 could allow threat actors to delete API keys and 42 could allow the modification of 2FA.
Following the findings, CloudSEK said: “In modern software architecture, APIs integrate new application components into existing architecture. So its security has become imperative. Software developers must avoid embedding API keys into their applications and should follow secure coding and deployment practices like standardize review procedures, rotate keys, hide keys and use vault.”