Hello, welcome to the Friday, November 10th, 2017 edition of the San Bernard Storm Center's Stormcast. My name is Johannes Ulrich,

and I'm recording from Jacksonville, Florida. We continue to have problems with developers storing credentials

in code being delivered to users. The latest case are Twilio credentials.

Twilio, if you're not familiar with that, is a very popular service that allows you to send SMS messages,

also allows for voice interaction, voice messages, even some video conferencing capabilities.

So a lot of mobile applications that use these functionalities are using Twilio for sort of the

plumbing part of actually sending the messages and then the app itself will just send a request

to Twilio's web service in order to, for example, establish a call.

Now, Twilio on its website actually has some guidance for different applications and languages,

how to set up per user tokens for authentication.

Essentially, what you're supposed to do is that the user will connect to the developers,

web service will receive a token from the developer and then use that token to directly authenticate to Tuileo.

Now this process of course requires some extra work, so a lot of developers will just include their own key in the application,

which then results in all applications or all users using the same code.

Once different users share the same API key, there is of course no separation anymore

between these users as far as Twilio is concerned.

And now all of these users have access to all data being submitted to Twilio.

Like for example, call logs, logs of messages, and well, everything Tvillo has to offer.

This isn't the first time something like this happens.

We have seen this quite often, for example, with credentials for Amazon web servers

that are just being embedded in mobile applications.

Too often developers believe that by delivering a binary blob to the user, that the user will not be able to extract these credentials.

...