British cybersecurity firm Codified Security just published a report that’s bad news for anyone who has written an Android app: Many are riddled with backdoors.

The report points out two different issues with very different consequences: Either leaked customer data or a way to gain access to computers the code was tested on. The worst news is what’s responsible for the backdoors: Leftover code that wasn’t deleted before publishing.

If you’re an android developer who might be questioning what was left in–or just commented out–it’s a good idea to crack that app open and see if these backdoors apply to you.

The bigger, but less common, all-access backdoor

The first bit of leftover code was only found in three percent of the apps tested, but it creates a backdoor that can give up all sorts of information, and it was easy to get.

See: Don’t sideload Android apps from untrusted sources (TechRepublic)

After tearing open the binary of the target app testers simply looked for references to services like AWS, Google Cloud, GitHub, Twitter, and other platforms. They searched for those keys in Java string references, and voila: Credentials.

The information revealed could expose customer information, grant access to servers and clusters, and give glimpses into databases. All in all, it’s a serious problem that can be hard to rectify: It’s easy for bits of code to slip away in a huge project.

How much do you value your dev environment servers?

If you care about your staging and development infrastructure the second backdoor should have you concerned: 40 percent of the apps tested had leftover mentions of development environments in them.

Attackers could use the information found to gain access to those servers, which often have less protection surrounding them, and next thing you know your whole IP has been stolen.

Again, it can be hard to catch every single mention of development environments from your code but it’s important that you do.

Protecting your Android apps

The lessons found in the report apply to anyone who has ever published an Android app, or any app for that matter. Just because these leaks were reported on Android devices doesn’t means similar backdoors don’t exist on iOS, macOS, or Windows apps.

See: The 18 most frightening data breaches (TechRepublic)

Go through your code with a fine-toothed comb before publishing it, and don’t take QA with a grain of salt–that’s a perfect time for catching superfluous code snippets. Security is just as much a part of quality assurance as any other aspect of an app, and leftover code is a security issue.

Take the time to protect your source code as well. There are methods available for scanning code to detect unused bits, pointing out potentially exploitable areas, and even to obfuscate code to make it harder to reverse engineer.

Picking apart an Android app isn’t hard. Developers owe it to themselves and their customers to make that picking as difficult as possible.

The three big takeaways for TechRepublic readers:

  1. Security testers found that 40 percent of Android apps contain leftover code that exposes user and developer data.
  2. The backdoors can be used to steal customer information as well as access development environments and servers.
  3. Developers need to take time to protect their code, delete unused portions, and secure data as much as possible prior to launch.

Also see: