Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Hardcoded AWS Credentials in 1,800 Mobile Apps Highlight Supply Chain Issues

Symantec has discovered hardcoded AWS credentials in more than 1,800 mobile applications and warned of the potential risks associated with poor security practices.

While Symantec’s threat hunting team has looked at both Android and iOS apps, nearly all of the applications containing hardcoded credentials were developed for iOS.

Symantec has discovered hardcoded AWS credentials in more than 1,800 mobile applications and warned of the potential risks associated with poor security practices.

While Symantec’s threat hunting team has looked at both Android and iOS apps, nearly all of the applications containing hardcoded credentials were developed for iOS.

A closer analysis revealed that 77% of the apps contained valid AWS access tokens that provide access to private cloud services, and nearly half contained tokens that provide full access to files — in some cases millions of files — in the Amazon S3 storage service.

The study highlights a supply chain issue with potentially serious implications. More than half of the mobile applications were using the same AWS access tokens that were present in other apps, often created by different developers and companies.

The source of the problem is often a component that is used by multiple developers, such as a third-party library or SDK. While in some cases the access keys found in an application are needed to download or upload assets or resources, to access configuration files, or to access cloud services, sometimes they are simply there because the developer forgot about them.

The credentials might only allow access a specific asset, in which case their exposure has limited impact. However, in some cases, the developer may unwittingly be using and exposing an access token that leaves all of an organization’s files and storage at risk.

“Imagine a business-to-business (B2B) company providing access to its service using a third-party SDK and embedding an AWS hard-coded access key, exposing not only the private data of the app using the third-party SDK, but also the private data of all apps using the third-party component,” Symantec explained.

Symantec researchers shared three case studies. One of them involved a B2B company providing an intranet and communication platform, which can also be accessed via a mobile SDK. The SDK contained a hardcoded AWS token, which the firm needed to access the AWS translation service.

Advertisement. Scroll to continue reading.

However, instead of limiting it to the translation service, the token provided access to all of the company’s AWS cloud services, including customer corporate data, financial records, and employee data, as well as the files used on the firm’s intranet for more than 15,000 companies.

In another example, five popular iOS banking apps used the same digital identity SDK. The SDK contained cloud credentials that exposed private authentication data and keys belonging to every financial app that uses the SDK. The access key also exposed 300,000 biometric digital fingerprints, personal data, infrastructure data, and source code.

Symantec has also come across a vulnerable library used by 16 online gambling applications, which exposed root account credentials that provided access to infrastructure and cloud services.

“Adding security scanning solutions to the app development lifecycle and, if using an outsourced provider, requiring and reviewing Mobile App Report Cards, which can identify any unwanted app behaviors or vulnerabilities for every release of a mobile app, can all be helpful in highlighting potential issues,” Symantec said. “As an app developer, look for a report card that both scans SDKs and frameworks in your application and identifies the source of any vulnerabilities or unwanted behaviors.”

The issue of apps exposing access credentials has been known for years. In a study conducted last year, CloudSEK analyzed 10,000 apps and found that more than 40 of them — downloaded a total of 100 million times — had hardcoded private AWS keys.

Related: Thousands of Secret Keys Found in Leaked Samsung Source Code

Related: Mobile Health Apps Found to Expose Records of Millions of Users

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.