Researchers have identified 1,859 apps across Android and iOS that contain hardcoded Amazon Web Services (AWS) credentials, posing a major security risk.
“Over three-quarters (77%) of apps contained valid AWS access tokens that allow access to private AWS cloud services,” Symantec’s Threat Hunter team, part of Broadcom Software, said in a report shared with The Hacker News.
Interestingly, slightly more than 50% of the apps were found using the same AWS tokens found in other apps maintained by other developers and companies, highlighting a supply chain problem with serious implications.
“The AWS access tokens can be traced to a shared library, third-party SDK, or other shared component used in the development of the apps,” the researchers said.
These credentials are typically used to download appropriate resources necessary for the app’s functionality, as well as access configuration files and authenticate to other cloud services.
To make matters worse, 47% of the identified apps contained valid AWS tokens that granted full access to all private files and Amazon Simple Storage Service (S3) buckets in the cloud. This included, among other things, infrastructure files and data backups.
In one case uncovered by Symantec, an unnamed B2B company providing an intranet and communications platform that also provided a mobile software development kit (SDK) to its customers had its cloud infrastructure keys embedded in the SDK to access the translation service.
This resulted in the exposure of all customers’ private information, which included corporate data and financial records belonging to over 15,000 medium to large companies.
“Instead of restricting the hard-coded access token for use with the translation cloud service, anyone with the token had full unfettered access to all of the B2B company’s AWS cloud services,” the researchers noted.
It also uncovered five iOS banking apps that rely on the same AI Digital Identity SDK that contained the cloud credentials, effectively leaking more than 300,000 users’ fingerprint information.
The cybersecurity firm said it alerted the organizations to the problems uncovered in their apps.
The development comes as researchers from CloudSEK revealed that 3,207 mobile apps are exposing Twitter API keys in the clear, some of which could be used to gain unauthorized access to Twitter accounts associated with them.