Hacker News new | ask | show | jobs
by lucasluitjes 345 days ago
Hardcoded API keys and poorly secured backend endpoints are surprisingly common in mobile apps. Sort of like how common XSS/SQLi used to be in webapps. Decompiling an APK seems to be a slightly higher barrier than opening up devtools, so they get less attention.

Since debugging hardware is an even higher threshold, I would expect hardware devices this to be wildly insecure unless there are strong incentive for investing in security. Same as the "security" of the average IoT device.
1 comments
bigiain 345 days ago
Eventually someone is going to get a bill for the OpenAPI key usage. That will provide some incentive. (Incentive to just rotate the key and brick all the devices rather than fix the problem, most likely.
link
eru 345 days ago
> (Incentive to just rotate the key and brick all the devices rather than fix the problem, most likely.

But that at least turns it into something customers will notice. And companies already have existing incentives for dealing with that.

link
bigiain 345 days ago
At that stage you just rotate the company name or branding...
link
eru 345 days ago
Sure. But then you cannot benefit from building up a good reputation and charge people extra for it.

(There's a reason Apple can charge crazy markups.)

link
bigiain 344 days ago
Had you ever heard of IKKO before this? I hadn't, and I'm at least adjacent to the hifi and audio nerd crowd.

Apple have a reputation and brand that allows them to charge premium prices.

IKKO seems, at least to me, to be effectively a disposable brand. If their reputation goes bad, their only reals costs are setting up a new website/AliExpress Store/Amazon seller account.

link
eru 344 days ago
To expand on what I was trying to say:

Yes, you can run with disposable brands. It's a perfectly viable business strategy in many cases.

However: if you do that you are missing out on the benefits of building a good reputation. Even in the cases, where your product _is_ actually good.

So another perfectly valid business strategy is to build a longer lasting brand. Like Apple has done. (Or countless other companies.)

In most markets we see both kinds of strategies at play. As a customer, you can usually decide which kind of strategy you give your money to.

link