Ennesima figuraccia per Android:
The rise of the Web 2.0 architecture has seen a prolifer-
ation of cloud service APIs. Service to service communi-
cation is usually authenticated with secret tokens that are
known only by the involved parties. When implemented
as intended, secret tokens are never shared and are stored
on trusted servers where they can be properly safeguarded.
However, as these service to service protocols have been
adapted to mobile applications, we have discovered using
that developers are now embedding secret to-
kens directly into applications. While developers may be-
lieve their application sources are well guarded, the ease of
decompilation and the widespread availability of mobile ap-
plications makes recovering secret tokens relatively simple.
We discuss how we used
to discover secret to-
kens used with Amazon Web Services (AWS) and several
OAuth providers and demonstrate the potential for abuse
of these tokens by malicious actors.
A quanto pare un sacco di chiavi private (cioè quelle che servono per utilizzare certe applicazioni fuori dall’applicazione stessa, in pratica servizi esterni che posson essere Facebook, Google +, Google Play Games Services, Amazon…) sono liberamente (o meno) ottenibili e leggibili e quindi utilizzabili a danno dello sviluppatore.
Continua a leggere