And password crackers are getting a lot smarter
An analysis of free Android apps has shown that developers are leaving their crypto keys embedded in applications, in some cases because the software developer kits install them by default.
Will Dormann, software vulnerability analyst at the CERT Coordination Center (CERT/CC), told the
BSides conference in San Francisco that he’d scanned around 1.8 million Android apps and found shocking lapses in operational security in plenty of 'em. PGP keys, VPN codes and hardcoded admin passwords were all readily available.
“I only scanned free apps,” he explained. “Paid apps have similar issues I’m sure but the problem is I’ve downloaded 1.8 million apps and even if they are only 99 cents apiece I’m not paying that much.”
Overall he found nearly 20,000 apps with insecure keys built in, including popular code like Samsung’s "smart" home app. Building passwords into apps is lazy developer policy for some, although he noted some are better than others at obfuscating the practice.
