top | item 44447774

(no title)

Hardcoded API keys and poorly secured backend endpoints are surprisingly common in mobile apps. Sort of like how common XSS/SQLi used to be in webapps. Decompiling an APK seems to be a slightly higher barrier than opening up devtools, so they get less attention.

Since debugging hardware is an even higher threshold, I would expect hardware devices this to be wildly insecure unless there are strong incentive for investing in security. Same as the "security" of the average IoT device.

discuss

bigiain|8 months ago

Eventually someone is going to get a bill for the OpenAPI key usage. That will provide some incentive. (Incentive to just rotate the key and brick all the devices rather than fix the problem, most likely.

eru|8 months ago

> (Incentive to just rotate the key and brick all the devices rather than fix the problem, most likely.

But that at least turns it into something customers will notice. And companies already have existing incentives for dealing with that.