Bsides SF An analysis of free Android apps has shown that developers are leaving their crypto keys embedded in applications, in some cases because the software developer kits install them by default.

Will Dormann, software vulnerability analyst at the CERT Coordination Center (CERT/CC), told the BSides conference in San Francisco that he’d scanned around 1.8 million Android apps and found shocking lapses in operational security in plenty of 'em. PGP keys, VPN codes and hardcoded admin passwords were all readily available.

“I only scanned free apps,” he explained. “Paid apps have similar issues I’m sure but the problem is I’ve downloaded 1.8 million apps and even if they are only 99 cents apiece I’m not paying that much.”

Overall he found nearly 20,000 apps with insecure keys built in, including popular code like Samsung’s "smart" home app. Building passwords into apps is lazy developer policy for some, although he noted some are better than others at obfuscating the practice.

On one end of the scale was an app developer who not only hardcoded his Android and iOS developer login details in the app but also the master passwords for the app itself. Others were sneakier, trying to hide the important data in .png or .apk files.

If you are using the Appinventor tool to build apps, your application may be including private keys. Dormann said that the software appears to include private keys in generated apps by default.

Software key stores weren’t much help either. The Java and Bouncy Castle key stores don’t encrypt at a container level but rely on password protection. That’s not bad, but the problem Dormann found was that password security is pathetically bad.

Dormann used two popular password crackers - Jack the Ripper and Hashcat. Running these on GPUs allowed for easy brute-force hacking of many passwords selected by lazy users. Password crackers are getting smarter about exploiting common shortcuts used by humans when it comes to choosing passwords.

“Hashcat is much better at this,” he told The Register. “Not only does it recognise the human habit of capitalising the first letter, it can also checks for exclamation points at the end of a password and also four digits, because a lot of people add dates.”

The key to strong passwords is length and complexity. Go long on passwords, avoid words easily spotted in dictionary attacks and never, ever, use "QWERTY". ®