Researchers Find Hardcoded Twilio Credentials

Late yesterday (8th November 2017) security researchers at AppAuthority claimed to have found about 685 iOS and Android Apps that hardcode credentials for their Twilio account. Using this security issue dubbed Eavesdropper the researcers were able to gain access to all of the App’s private communication that was done via Twilio’s APIs.

Twilio provides App developers a Rest API and/or SDK for communication services, including calling and messaging. App Developers can access these services using their credentials, which is the Twilio ID and Token/Password. However, developers who did not follow Twilio’s client coding guidelines hardcoded these credentials in their mobile Apps.

By reverse engineering the App binary, the researchers were able to gain access to these credentials and retrieve all user data including – but not limited to – text/SMS messages, call metadata, and voice recordings.

At DataTheorem, we have already included this finding in our “Scan & Secure” engine and are in the process of reaching out to any customer who is vulnerable to Eavesdropper.

The recommendation to fix this issue is as follows:

Immediately remove the hardcoded tokens from the App. Twilio provides a feature called Capability Tokens for client-side applications. Capability tokens allow you to add Twilio capabilities to web and mobile applications without exposing the AuthToken in JavaScript or any other client-side environment. The capability token should be created on the server, where the developer can specify what capabilities a mobile app should have. All tokens have a limited lifetime to protect from abuse. The lifetime is configurable up to 24 hours, but it should be made it as short as possible. More details on Capability Tokens can be found here.

Pavan Walvekar - 10 Nov 2017 at 18:30