Mobile App Security: Identifying and Fixing Hidden Vulnerabilities with BeVigil

In an era where digital ecosystems are the backbone of modern enterprises, ensuring the security of sensitive information is crucial. Mobile applications, while essential for operational efficiency and user engagement, often have vulnerabilities that can lead to data breaches. This blog highlights how BeVigil played a pivotal role in identifying and addressing critical security gaps, safeguarding sensitive data, and enhancing operational integrity.

The BeVigil Mobile App Scanner enhances mobile application security by identifying misconfigurations, malware, and hardcoded secrets. It ensures comprehensive protection by analyzing vulnerabilities before they can be exploited. The domains and subdomains are enumerated, and the associated web applications are identified. The APK files for these web applications are then searched on the Play Store and sent for scanning using the mobile application scanner.

‍

The Discovery 

During a routine security assessment using BeVigil’s advanced scanning capabilities, a major issue was identified in a widely-used Android application. The application shockingly exposed sensitive credentials, including hardcoded Salesforce API keys and tokens. These credentials, accessible through the disassembled Java code, could have been exploited to gain unauthorized access to sensitive organizational data.

BeVigil’s Mobile App scanner found the following 

• Hardcoded Credentials:Exposed Salesforce client ID, Salesforce client secret, Salesforce username, and Salesforce password.
• Access Token Vulnerability: Tokens that allowed unauthorized API access were easily retrievable.
• Potential Exploits: The vulnerability enabled unauthorized access to user information, internal records, and customer data, with possibilities for data theft, modification, and service disruption.

Unmasking Security Flaws: A Detailed Analysis

1. An investigation revealed an exposed link containing sensitive credentials within its parameters. By utilizing these credentials, a POST request could retrieve an access token, uncovering a critical security vulnerability

2. Once the access token is obtained, it can be utilized to interact with the Salesforce API through the instance URL. This access enables actions such as retrieving objects, user information, partner PII, and customer data through the Salesforce API, highlighting the potential impact of the exposed credentials.

Securing the System

BeVigil’s comprehensive assessment provided actionable insights and mitigation strategies to address the vulnerabilities effectively. Here’s what we did:

• Detected vulnerabilities like hardcoded credentials and exposed API endpoints that could lead to security breaches.
• Revoke key access from the application to eliminate the risk of unauthorized access.
• Secured API access by routing sensitive requests through a backend proxy, reducing direct exposure.
• Strengthened access control with stricter permissions and role-based restrictions.
• Implemented proactive security measures, including periodic token rotation, regular audits, and real-time monitoring to detect threats early.

Lessons Learned

This incident underscores the critical importance of robust security practices in application development. Avoiding hardcoded credentials, implementing secure API configurations, and conducting regular security audits are foundational steps toward ensuring data integrity and operational resilience.

Securing sensitive data is not just a technical requirement—it is a business imperative. BeVigil Enterprise provides organizations with the tools and insights needed to stay ahead of evolving security threats. By identifying vulnerabilities before they can be exploited, BeVigil empowers businesses to maintain the trust of their customers and secure their digital assets effectively.

‍