Regarding Mobile Apps with Hard-coded API Keys

A security report recently announced that Android and iOS apps were discovered to contain hard-coded Twilio credentials, meaning the data from the associated Twilio accounts were potentially at risk of exposure to bad actors. The Twilio platform itself remains secured and un-compromised, and we have no evidence that data from any of the apps was accessed by an unauthorized party. Nonetheless, we’d like to offer our community some clarity on what exactly transpired.

What happened?

When a developer makes a request to Twilio’s REST API, they have to pass along secret credentials, or API keys, to authenticate their account. If a developer exposes those keys into the public, someone can come along and access that developer’s Twilio account. It’s like leaving your car keys in an unlocked car — once someone realizes you’ve made the mistake they can drive your car wherever they want.

One way that developers inadvertently expose their API keys is to hard-code them into a mobile app. Individuals can download mobile apps from the Google or Apple app stores, decompile the software, and extract keys stored within them. For this reason, hard-coding keys from any API provider into a mobile app is widely considered to be a security flaw across the API, security, and developer communities.

The Appthority report found keys to 85 Twilio accounts hard-coded in apps published in the Google and App Store. This is not a vulnerability specific to Twilio, the Twilio API, or the Twilio infrastructure, but a mistake made by a small fraction of developers who didn’t adhere to our published best practices.

Are you at risk?

If you have not hard-coded your API keys into your mobile app, your Twilio account is safe from this issue. If you have inadvertently exposed your keys, reach out to help@twilio.com. In line with best practices, Twilio has a token issuing and revocation system, as well as the ability to rotate keys if needed. These products are free, and readily available to all developers. We’d be happy to help you re-architect your app, check your account for suspicious activity, and rotate your API keys.

From tutorials about implementing 2FA and phone verification workflows, to guidance on how to prepare for GDPR, we’re committed to ensuring our customers are equipped with the right tools to properly secure their apps and manage their data.