
40% of Android apps expose sensitive back end information - martinald
https://codifiedsecurity.com/2017/03/13/40-percent-android-apps-expose-sensitive-information/
======
nolikeynovotey
Interesting stuff, what was the methodology behind this?

~~~
martinald
We grabbed a selection of 2,000 top apps from the UK Play Store that were
built in Java.

We looked for strings that matched certain entropy patterns common to the
services listed on the site.

For staging environments we looked at likely candidates from string variable
names and patterns that looked likely to be staging environments.

It's really dreadful the amount of debug/useless code that gets left in
production Android apps, and it tends to grow over time.

------
ultimatejman
Finance apps?

~~~
martinald
Some finance apps included development/staging details, yes. We didn't find
any secrets from traditional finance firms (I expect this is more a function
of them not using cloud services as much as other industries at this point in
time).

One of the worst offenders in our sample was fintech companies, with obviously
no real pentesting being done on the client side at least.

