Security Experts:

Hardcoded AWS Credentials in 1,800 Mobile Apps Highlight Supply Chain Issues

Symantec has discovered hardcoded AWS credentials in more than 1,800 mobile applications and warned of the potential risks associated with poor security practices.

While Symantec’s threat hunting team has looked at both Android and iOS apps, nearly all of the applications containing hardcoded credentials were developed for iOS.

A closer analysis revealed that 77% of the apps contained valid AWS access tokens that provide access to private cloud services, and nearly half contained tokens that provide full access to files — in some cases millions of files — in the Amazon S3 storage service.

The study highlights a supply chain issue with potentially serious implications. More than half of the mobile applications were using the same AWS access tokens that were present in other apps, often created by different developers and companies.

The source of the problem is often a component that is used by multiple developers, such as a third-party library or SDK. While in some cases the access keys found in an application are needed to download or upload assets or resources, to access configuration files, or to access cloud services, sometimes they are simply there because the developer forgot about them.

The credentials might only allow access a specific asset, in which case their exposure has limited impact. However, in some cases, the developer may unwittingly be using and exposing an access token that leaves all of an organization’s files and storage at risk.

“Imagine a business-to-business (B2B) company providing access to its service using a third-party SDK and embedding an AWS hard-coded access key, exposing not only the private data of the app using the third-party SDK, but also the private data of all apps using the third-party component,” Symantec explained.

Symantec researchers shared three case studies. One of them involved a B2B company providing an intranet and communication platform, which can also be accessed via a mobile SDK. The SDK contained a hardcoded AWS token, which the firm needed to access the AWS translation service.

However, instead of limiting it to the translation service, the token provided access to all of the company’s AWS cloud services, including customer corporate data, financial records, and employee data, as well as the files used on the firm’s intranet for more than 15,000 companies.

In another example, five popular iOS banking apps used the same digital identity SDK. The SDK contained cloud credentials that exposed private authentication data and keys belonging to every financial app that uses the SDK. The access key also exposed 300,000 biometric digital fingerprints, personal data, infrastructure data, and source code.

Symantec has also come across a vulnerable library used by 16 online gambling applications, which exposed root account credentials that provided access to infrastructure and cloud services.

“Adding security scanning solutions to the app development lifecycle and, if using an outsourced provider, requiring and reviewing Mobile App Report Cards, which can identify any unwanted app behaviors or vulnerabilities for every release of a mobile app, can all be helpful in highlighting potential issues,” Symantec said. “As an app developer, look for a report card that both scans SDKs and frameworks in your application and identifies the source of any vulnerabilities or unwanted behaviors.”

The issue of apps exposing access credentials has been known for years. In a study conducted last year, CloudSEK analyzed 10,000 apps and found that more than 40 of them — downloaded a total of 100 million times — had hardcoded private AWS keys.

Related: Thousands of Secret Keys Found in Leaked Samsung Source Code

Related: Mobile Health Apps Found to Expose Records of Millions of Users

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.