A Billion-dollar EdTech Company Left API Keys in Their App. That's Not Security – That's Sloppy.
3 Apr 2025
Cybersecurity 101: Never trust your users.
How many times have we heard that phrase? Well, to be honest, far too many times to count. But that doesn’t stop some people from trusting their users with their most sensitive secrets.
TL;DR: Someone Just Taped Their Keys to the Front Door
Taping your keys to your door when you leave your house might be a great way for you to remember where you put them – they’re literally taped to your door!
But that’s not exactly secure, is it? So if a billion dollar giant did exactly that while storing data about people under the age of 18 in the house… would you trust them?
What’s wrong here?
Allen’s iOS app bundle reveals multiple sensitive credentials found in plain-text within .plist files. A simple right-click>Show Package Contents leads to more than 10 sensitive API keys and other sensitive secrets from CleverTap, Google Cloud, DataDog and others.
Here’s what’s exposed:
CLIENT_IDREVERSED_CLIENT_IDANDROID_CLIENT_IDAPI_KEYGCM_SENDER_IDSTORAGE_BUCKETPROJECT_IDBUNDLE_IDGOOGLE_APP_IDCleverTapTokenAPPSFLYER_KEYDATADOG_KEYMIXPANEL_API_KEYCleverTapAccountID
It is, once again, important to note that no reverse engineering, decryption, or tampering was performed to obtain these credentials. Only a right click and a quick perusal of the .plist files in the app bundle’s root directory. While not all of these are sensitive on their own, e.g., BUNDLE_ID, they are dangerous to have lying around in the context of everything else that’s also accessible. While no active attempts were made to exploit these keys due to ethical reasons, based on security best practices, their exposure represents a serious risk.
Timeline
- prior to 19th March
- keys discovered and report prepared
- 19th March
- email notifications sent to info@allen.in, allendigital@allen.ac.in, bengaluru@allen.in; physical copy of report handed over to Allen Jayanagar, Bangalore; 15-day notice is provided before public disclosure
The 2 emails I sent to Allen
- 23rd March
- report sent via WhatsApp on request of Mr. Rajat Bhargava after a friendly reminder was provided
WhatsApp message to Mr. Rajat Bhargava
- 3rd April
- proceed to public disclosure as stated on the report
Allen was given a fair warning – they chose to ignore it.
Allen was given 15 days’ time to fix this – and they have done nothing. Not even an acknowledgement.
Coda
Allen prides itself on academic excellence, but when it comes to security, they’ve failed their own test.
What should I do now?
- Students: be aware that your data may not be secure. Ask Allen how they plan to protect it.
- Parents: ask Allen why a billion-dollar coaching empire can’t follow basic security practices.
- Everyone else: this is a serious data security issue affecting minors. Spread the word.
To the best of my knowledge, Allen has not taken action to remediate this issue as of the time of publishing. If they have done so without acknowledgment, I welcome updates and will note them accordingly.
Read the full report (PDF) (redacted)
or
Read my personal opinion on this
···
Read more —
3 Apr 2025
OPINION: My personal take on the Allen security report
As a student, I've got a few things to say.
1 Apr 2025
15 Years at DPS
On 15 years spent at at my alma mater, DPS Bangalore South
9 Mar 2025
Compiling TextMate I: Minimum Compilable Product
I've embarked on a quest to resurrect TextMate, for some reason.
< all blog
Cybersecurity 101: Never trust your users.
How many times have we heard that phrase? Well, to be honest, far too many times to count. But that doesn’t stop some people from trusting their users with their most sensitive secrets.
TL;DR: Someone Just Taped Their Keys to the Front Door
Taping your keys to your door when you leave your house might be a great way for you to remember where you put them – they’re literally taped to your door!
But that’s not exactly secure, is it? So if a billion dollar giant did exactly that while storing data about people under the age of 18 in the house… would you trust them?
What’s wrong here?
Allen’s iOS app bundle reveals multiple sensitive credentials found in plain-text within .plist files. A simple right-click>Show Package Contents leads to more than 10 sensitive API keys and other sensitive secrets from CleverTap, Google Cloud, DataDog and others.
Here’s what’s exposed:
CLIENT_IDREVERSED_CLIENT_IDANDROID_CLIENT_IDAPI_KEYGCM_SENDER_IDSTORAGE_BUCKETPROJECT_IDBUNDLE_IDGOOGLE_APP_IDCleverTapTokenAPPSFLYER_KEYDATADOG_KEYMIXPANEL_API_KEYCleverTapAccountID
It is, once again, important to note that no reverse engineering, decryption, or tampering was performed to obtain these credentials. Only a right click and a quick perusal of the .plist files in the app bundle’s root directory. While not all of these are sensitive on their own, e.g., BUNDLE_ID, they are dangerous to have lying around in the context of everything else that’s also accessible. While no active attempts were made to exploit these keys due to ethical reasons, based on security best practices, their exposure represents a serious risk.
Timeline
- prior to 19th March
- keys discovered and report prepared
- 19th March
- email notifications sent to info@allen.in, allendigital@allen.ac.in, bengaluru@allen.in; physical copy of report handed over to Allen Jayanagar, Bangalore; 15-day notice is provided before public disclosure
- 23rd March
- report sent via WhatsApp on request of Mr. Rajat Bhargava after a friendly reminder was provided
- 3rd April
- proceed to public disclosure as stated on the report
Allen was given a fair warning – they chose to ignore it.
Allen was given 15 days’ time to fix this – and they have done nothing. Not even an acknowledgement.
Coda
Allen prides itself on academic excellence, but when it comes to security, they’ve failed their own test.
What should I do now?
- Students: be aware that your data may not be secure. Ask Allen how they plan to protect it.
- Parents: ask Allen why a billion-dollar coaching empire can’t follow basic security practices.
- Everyone else: this is a serious data security issue affecting minors. Spread the word.
To the best of my knowledge, Allen has not taken action to remediate this issue as of the time of publishing. If they have done so without acknowledgment, I welcome updates and will note them accordingly.
Read the full report (PDF) (redacted)
or
Read my personal opinion on this
OPINION: My personal take on the Allen security report
As a student, I've got a few things to say.
1 Apr 2025
15 Years at DPS
On 15 years spent at at my alma mater, DPS Bangalore South
9 Mar 2025
Compiling TextMate I: Minimum Compilable Product
I've embarked on a quest to resurrect TextMate, for some reason.
< all blog