Researchers Find Hardcoded Twilio Credentials
Late yesterday (8th November 2017) security researchers at AppAuthority claimed to have found about 685 iOS and Android Apps that hardcode credentials for their Twilio account. Using this security issue dubbed Eavesdropper the researcers were able to gain access to all of the App’s private communication that was done via Twilio’s APIs.
Twilio provides App developers a Rest API and/or SDK for communication services, including calling and messaging. App Developers can access these services using their credentials, which is the Twilio ID and Token/Password. However, developers who did not follow Twilio’s client coding guidelines hardcoded these credentials in their mobile Apps.
By reverse engineering the App binary, the researchers were able to gain access to these credentials and retrieve all user data including – but not limited to – text/SMS messages, call metadata, and voice recordings.
At DataTheorem, we have already included this finding in our “Scan & Secure” engine and are in the process of reaching out to any customer who is vulnerable to Eavesdropper.
The recommendation to fix this issue is as follows: