CloudSEK Success Stories
3
mins read

Mobile App Security: Identifying and Fixing Hidden Vulnerabilities with BeVigil

Mobile applications are vital for businesses but often come with hidden security risks. This blog highlights how BeVigil’s Mobile App Scanner uncovered a major vulnerability in a widely-used Android app, exposing hardcoded Salesforce API keys and tokens. These credentials could have granted unauthorized access to sensitive data, posing a serious security threat. BeVigil’s assessment detected and mitigated these risks by revoking exposed keys, securing API access, and implementing stricter access controls. This case emphasizes the need for proactive security measures, regular audits, and secure coding practices to safeguard digital assets and maintain customer trust.

Niharika Ray
February 19, 2025
Green Alert
Last Update posted on
February 19, 2025
Stay Ahead of External Threats with comprehensive Attack Surface Monitoring

Did you know that 70% of successful breaches are perpetrated by external actors exploiting vulnerabilities in an organization's attack surface? With CloudSEK BeVigil Enterprise, you can proactively detect and mitigate potential threats, ensuring a robust defense against cyber attacks.

Schedule a Demo
Table of Contents
Author(s)
No items found.

In an era where digital ecosystems are the backbone of modern enterprises, ensuring the security of sensitive information is crucial. Mobile applications, while essential for operational efficiency and user engagement, often have vulnerabilities that can lead to data breaches. This blog highlights how BeVigil played a pivotal role in identifying and addressing critical security gaps, safeguarding sensitive data, and enhancing operational integrity.

The BeVigil Mobile App Scanner enhances mobile application security by identifying misconfigurations, malware, and hardcoded secrets. It ensures comprehensive protection by analyzing vulnerabilities before they can be exploited. The domains and subdomains are enumerated, and the associated web applications are identified. The APK files for these web applications are then searched on the Play Store and sent for scanning using the mobile application scanner.

BeVigil Main Dashboard - Security Score

The Discovery 

During a routine security assessment using BeVigil’s advanced scanning capabilities, a major issue was identified in a widely-used Android application. The application shockingly exposed sensitive credentials, including hardcoded Salesforce API keys and tokens. These credentials, accessible through the disassembled Java code, could have been exploited to gain unauthorized access to sensitive organizational data.

BeVigil’s Mobile App scanner found the following 

  • Hardcoded Credentials:Exposed Salesforce client ID, Salesforce client secret, Salesforce username, and Salesforce password.
  • Access Token Vulnerability: Tokens that allowed unauthorized API access were easily retrievable.
  • Potential Exploits: The vulnerability enabled unauthorized access to user information, internal records, and customer data, with possibilities for data theft, modification, and service disruption.

Unmasking Security Flaws: A Detailed Analysis

  1. An investigation revealed an exposed link containing sensitive credentials within its parameters. By utilizing these credentials, a POST request could retrieve an access token, uncovering a critical security vulnerability
BeVigil Mobile App Scanner detection
Source code Snippet
  1. Once the access token is obtained, it can be utilized to interact with the Salesforce API through the instance URL. This access enables actions such as retrieving objects, user information, partner PII, and customer data through the Salesforce API, highlighting the potential impact of the exposed credentials.
Fetching Users Information through Salesforce API
Fetching Partner PII through Salesforce API
Fetching Customer Information through Salesforce API

Securing the System

BeVigil’s comprehensive assessment provided actionable insights and mitigation strategies to address the vulnerabilities effectively. Here’s what we did:

  • Detected vulnerabilities like hardcoded credentials and exposed API endpoints that could lead to security breaches.
  • Revoke key access from the application to eliminate the risk of unauthorized access.
  • Secured API access by routing sensitive requests through a backend proxy, reducing direct exposure.
  • Strengthened access control with stricter permissions and role-based restrictions.
  • Implemented proactive security measures, including periodic token rotation, regular audits, and real-time monitoring to detect threats early.
BeVigil Mobile App Scanner Workflow

Lessons Learned

This incident underscores the critical importance of robust security practices in application development. Avoiding hardcoded credentials, implementing secure API configurations, and conducting regular security audits are foundational steps toward ensuring data integrity and operational resilience.

Securing sensitive data is not just a technical requirement—it is a business imperative. BeVigil Enterprise provides organizations with the tools and insights needed to stay ahead of evolving security threats. By identifying vulnerabilities before they can be exploited, BeVigil empowers businesses to maintain the trust of their customers and secure their digital assets effectively.

 

Author

Niharika Ray

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
CloudSEK Success Stories

3

min read

Mobile App Security: Identifying and Fixing Hidden Vulnerabilities with BeVigil

Mobile applications are vital for businesses but often come with hidden security risks. This blog highlights how BeVigil’s Mobile App Scanner uncovered a major vulnerability in a widely-used Android app, exposing hardcoded Salesforce API keys and tokens. These credentials could have granted unauthorized access to sensitive data, posing a serious security threat. BeVigil’s assessment detected and mitigated these risks by revoking exposed keys, securing API access, and implementing stricter access controls. This case emphasizes the need for proactive security measures, regular audits, and secure coding practices to safeguard digital assets and maintain customer trust.

Authors
Niharika Ray
Co-Authors
No items found.

In an era where digital ecosystems are the backbone of modern enterprises, ensuring the security of sensitive information is crucial. Mobile applications, while essential for operational efficiency and user engagement, often have vulnerabilities that can lead to data breaches. This blog highlights how BeVigil played a pivotal role in identifying and addressing critical security gaps, safeguarding sensitive data, and enhancing operational integrity.

The BeVigil Mobile App Scanner enhances mobile application security by identifying misconfigurations, malware, and hardcoded secrets. It ensures comprehensive protection by analyzing vulnerabilities before they can be exploited. The domains and subdomains are enumerated, and the associated web applications are identified. The APK files for these web applications are then searched on the Play Store and sent for scanning using the mobile application scanner.

BeVigil Main Dashboard - Security Score

The Discovery 

During a routine security assessment using BeVigil’s advanced scanning capabilities, a major issue was identified in a widely-used Android application. The application shockingly exposed sensitive credentials, including hardcoded Salesforce API keys and tokens. These credentials, accessible through the disassembled Java code, could have been exploited to gain unauthorized access to sensitive organizational data.

BeVigil’s Mobile App scanner found the following 

  • Hardcoded Credentials:Exposed Salesforce client ID, Salesforce client secret, Salesforce username, and Salesforce password.
  • Access Token Vulnerability: Tokens that allowed unauthorized API access were easily retrievable.
  • Potential Exploits: The vulnerability enabled unauthorized access to user information, internal records, and customer data, with possibilities for data theft, modification, and service disruption.

Unmasking Security Flaws: A Detailed Analysis

  1. An investigation revealed an exposed link containing sensitive credentials within its parameters. By utilizing these credentials, a POST request could retrieve an access token, uncovering a critical security vulnerability
BeVigil Mobile App Scanner detection
Source code Snippet
  1. Once the access token is obtained, it can be utilized to interact with the Salesforce API through the instance URL. This access enables actions such as retrieving objects, user information, partner PII, and customer data through the Salesforce API, highlighting the potential impact of the exposed credentials.
Fetching Users Information through Salesforce API
Fetching Partner PII through Salesforce API
Fetching Customer Information through Salesforce API

Securing the System

BeVigil’s comprehensive assessment provided actionable insights and mitigation strategies to address the vulnerabilities effectively. Here’s what we did:

  • Detected vulnerabilities like hardcoded credentials and exposed API endpoints that could lead to security breaches.
  • Revoke key access from the application to eliminate the risk of unauthorized access.
  • Secured API access by routing sensitive requests through a backend proxy, reducing direct exposure.
  • Strengthened access control with stricter permissions and role-based restrictions.
  • Implemented proactive security measures, including periodic token rotation, regular audits, and real-time monitoring to detect threats early.
BeVigil Mobile App Scanner Workflow

Lessons Learned

This incident underscores the critical importance of robust security practices in application development. Avoiding hardcoded credentials, implementing secure API configurations, and conducting regular security audits are foundational steps toward ensuring data integrity and operational resilience.

Securing sensitive data is not just a technical requirement—it is a business imperative. BeVigil Enterprise provides organizations with the tools and insights needed to stay ahead of evolving security threats. By identifying vulnerabilities before they can be exploited, BeVigil empowers businesses to maintain the trust of their customers and secure their digital assets effectively.