Android AI apps expose millions of files due to hardcoded secrets

A significant security investigation has analyzed 1.8 million Android apps available on the Google Play Store, focusing on those that explicitly claim AI features, and identified worrying security flaws that may be exposing secrets, as reported by Tech Radar.

Cybernews researchers found that 72% of analyzed Android AI apps contained at least one hardcoded secret, with an average of 5.1 secrets leaked per app. Over 81% of these secrets were tied to Google Cloud infrastructure, including API keys and Firebase databases. Thousands of Google Cloud storage buckets were found, with hundreds misconfigured and publicly accessible, potentially exposing over 200 million files. Additionally, 285 Firebase databases lacked authentication, leaking user data, and some showed signs of prior compromise. While leaked large language model API keys were rare, some severe exposures involved live payment infrastructure with leaked Stripe secret keys.

The widespread nature of hardcoded secrets and the evidence of compromise highlight systemic security failures within the Android app development ecosystem. App store screening alone appears insufficient to mitigate these risks, suggesting a need for enhanced developer education and stricter code review processes.

Source: Tech Radar