1,859 mobile apps, mostly iOS, found storing hard-coded credentials for AWS databases

1,859 mobile apps, mostly iOS, found storing hard-coded credentials for AWS databases

According to research by Symantec, as many as 1,859 publicly available Android and iOS apps contain hardcoded AWS credentials. The unsafe practice of developing mobile applications paves the way for such vulnerabilities in the supply chain.

AWS access tokens are active in about 77% (1,431) of these 1,859 apps, enabling threat actors to access private AWS cloud services. In addition, nearly half of these apps (873) containing valid AWS access tokens provided access to private databases stored in Amazon S3 containing millions of files and data records.

The scenario is ideally suited for threat actors who breach data and has a far-reaching impact on the privacy of users and the security fabric of the entire mobile software supply chain. Such databases are typically used by mobile app developers to store sensitive data, including but not limited to communications, app logs, private customer/user data, etc.

Case studies conducted by Symantec Threat Hunter Team researcher Kevin Watkins revealed that one such instance contained private authentication data and keys belonging to all banking and financial apps. Personal data, including name, date of birth, et al., and 300,000 digital biometric fingerprints were leaked across five mobile banking apps that use the SDK.

Watkins also came across 16 online gambling apps that expose their entire infrastructure and cloud services across all AWS cloud services with full read/write root account credentials. As a result, their gaming operations, business data and customer data are at risk.

Another case revealed that a company’s technology stack exposed every file it had on the intranet of more than 15,000 mid- to large-sized companies, as well as customers’ corporate data, financial records and employees’ private data.

See also  LastPass hacked, OpenAI opens access to ChatGPT, and Kanye gets suspended from Twitter (again) • TechCrunch

Each of these cases has one thing in common. In each case, companies exposed are exploiting vulnerable software development kits (SDKs), libraries, or any other technology stack from their technology vendor. For example, the 16 online gambling apps used a vulnerable library or outsourced their digital and online operations to B2B companies.

Likewise, all banking apps that exposed data used a vulnerable third-party AI Digital Identity SDK from a third-party vendor, which had built-in cloud credentials.

See more: Oracle faces class action lawsuit for collecting, profiling and selling data to 5B users

Watkins wrote: “Imagine a business-to-business (B2B) company accessing the service using a third-party SDK and entering an AWS hardcoded access key, not only exposing the app’s private data using the third-party SDK, but also the private data of all apps using the third-party component. Unfortunately, this is not uncommon.”

Symantec, a Broadcom-owned company, pointed out that these risks are directly attributable to upstream mobile app developers using external software libraries and SDKs or outsourcing technology operations, which require sharing user/customer data without performing the necessary due diligence. As a result, downstream app and data security is severely hampered.

“We discovered that over half (53%) of the apps were using the same AWS access tokens found in other apps. Interestingly, these apps were often from different app developers and companies. This pointed to a vulnerability in the supply chain, and that’s exactly what we found. The AWS access tokens can be traced to a shared library, third-party SDK, or other shared component used in the development of the apps,” Watkins noted.

See also  Important technological developments in the microgame industry

The software supply chain is one of the more serious, not to mention lucrative, targets with the potential to cause widespread damage. Just look at the software supply chain hack of SolarWinds Orion, an IT infrastructure monitoring and management platform widely used by the private sector and US government.

December 2020 cyber espionage campaign which SolarWinds customers using Orion were targeted was quite sophisticated. The Russian-based group Advanced Persistent Threat (APT) started preparing for it as early as March 2020.

However, based on the evidence uncovered by Symantec, it is doubtful that compromising the mobile software supply chain to breach the data fed to and from the mobile apps would be as challenging.

So why do mobile developers use hardcoded keys? Watkins and Symantec outlined the following reasons:

  • The apps must download or upload assets and resources (large media files, recordings or images).
  • To access configuration files for the app, register the device, collect device information and store it in the cloud.
  • To access cloud services that require authentication.
  • Probably the most problematic: no specific reason, dead code and/or used for testing and never removed.

A whopping 98% of mobile apps with hard-coded AWS credentials and thus vulnerable to supply chain risk were for iOS. Symantec has notified all affected parties.

Let us know if you enjoyed reading this news LinkedIn, Twitteror Facebook. We’d love to hear from you!


You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *