AI cybersecurity company CloudSEK recently investigated 600 popular Android apps on Google Play and found that about 50 percent of the apps used API keys from three of the most popular email marketing service apps.
The full name of the API is called the application programming interface, which allows apps and services to work seamlessly with third-party websites in the background.
APIs are the type of applications that online companies and services use to collect customer contact information and manage outbound marketing campaigns, which means there is a lot of vulnerable data that is transmitted through API keys.
CloudSEK investigated 600 Google Play apps through its own BeVigil security engine and found that about half of them use API keys from Mailchimp, Sendgrid, and Mailgun. These three API keys are vulnerable and can pass sensitive data to malicious third parties, compromising user safety and making them targets for cyber crooks.
The affected apps have been downloaded more than 54 million times, and each of them could now potentially leak any and all details via API keys. According to CloudSek, the vulnerability could enable malicious actors to read emails, steal customer data, access email lists, and even conduct email marketing campaigns as representatives of affected businesses. This last one means that users exposed in this way would be particularly vulnerable to sophisticated phishing campaigns that would be very difficult to detect.
