Keypoints
- Researchers discovered hardcoded and unencrypted cloud service credentials inside widely used mobile apps’ codebases.
- Hardcoded credentials enable attackers who can access the app binary or source to extract keys and access cloud services.
- The Pic Stitch: Collage Maker app (over 5 million Google Play downloads) contains embedded AWS credentials and S3 bucket information.
- The app’s loadAmazonCredential(boolean z) method switches between production and staging credentials, exposing both environments if extracted.
- Exposed credentials can lead to unauthorized manipulation or exfiltration of data from cloud storage services like Amazon S3 and Azure Blob Storage.
- Developers are urged to adopt secure secret management practices to avoid embedding sensitive credentials in apps.
MITRE Techniques
- [T1003] Credential Dumping – Extracting hardcoded credentials from application binaries or source code. [‘Extracting hardcoded credentials from application binaries or source code.’]
- [T1041] Data Exfiltration – Using extracted credentials to manipulate or exfiltrate data from cloud services. [‘Using extracted credentials to manipulate or exfiltrate data from cloud services.’]
- [T1071] Application Layer Protocol – Exploiting APIs to access cloud services using hardcoded credentials. [‘Exploiting APIs to access cloud services using hardcoded credentials.’]
Indicators of Compromise
- [Credentials] Hardcoded cloud access keys found in app code – production AWS access key ID, production AWS secret access key.
- [Cloud Resource] Embedded storage identifiers – production Amazon S3 bucket name and staging bucket name.
- [Application] Affected mobile app – Pic Stitch: Collage Maker (Google Play Store listing with over 5 million downloads).
Mobile applications are a central part of daily life, downloaded millions of times from major app stores, but a troubling issue has emerged: developers are sometimes embedding unencrypted cloud credentials directly into app code. When credentials for cloud services such as Amazon Web Services or Microsoft Azure are hardcoded into an application, anyone able to inspect the app binary or source can extract those keys and potentially access or manipulate the associated backend resources.
Recent analysis has identified multiple popular apps with this vulnerability, and one clear example is the Pic Stitch: Collage Maker application. With more than five million downloads on the Google Play Store, Pic Stitch stores AWS credentials inside its code. The app includes a method named loadAmazonCredential(boolean z) that selects between production and staging credentials based on a boolean flag; if the flag is true, the method loads production settings including the production S3 bucket name and corresponding read/write access and secret keys, while a false flag loads the staging equivalents. Because both environments’ credentials appear in the binary, extracting the app’s code can expose multiple sets of secrets and widen the potential impact.
The danger from exposed credentials is straightforward: attackers who recover these keys can use them to access cloud storage, query or modify data, and in some cases perform broader actions depending on the permissions associated with the keys. That risk extends to data exfiltration, unauthorized configuration changes, and the compromise of other backend services linked to the same cloud account. The article also notes that similar findings apply to apps that contain Azure Blob Storage credentials, underscoring that this is not limited to a single cloud provider.
To reduce the risk, developers should avoid embedding secrets in distributed binaries and instead implement secure secret management strategies. Options include using platform-specific secure storage tied to runtime authentication, retrieving temporary credentials from a trusted backend service, employing cloud provider-managed secrets or token services, enforcing least-privilege access for any keys that must exist, and rotating credentials regularly. Auditing compiled apps for accidental secret inclusion and adopting secure development practices can prevent many of these exposures before an app is published.
The Pic Stitch example serves as a warning: even widely used applications can leak high-value credentials if secure coding and secret management are not enforced. Developers, security teams, and app store maintainers should prioritize detecting and remediating hardcoded credentials to protect user data and backend infrastructure.