Security researchers are raising the alarm about mobile app developers relying on insecure practices that expose Amazon Web Services (AWS) credentials, making the supply chain vulnerable.
Malicious actors could take advantage of this to access private databases, leading to data breaches and the exposure of customers' personal data.
Scale of the problem
Researchers at Symantec’s Threat Hunting team, part of Broadcom Software, found 1,859 applications containing hard-coded AWS credentials, most of them being iOS apps and just 37 for Android.
Roughly 77% of those applications contained valid AWS access tokens that could be used for direct access to private cloud services.
Additionally, 874 applications contained valid AWS tokens that hackers can use for accessing cloud instances containing live-service databases that hold millions of records.
These databases typically contain user account details, logs, internal communication, registration information, and other sensitive data, depending on the type of the app.
Real examples
The threat analysts highlight three notable cases in their report where the exposed AWS tokens could have had catastrophic consequences for both authors and users of the vulnerable apps.
One example is a business-to-business (B2B) company providing intranet and communication services to over 15,000 medium-to-large companies.
The software development kit (SDK) the company provided to clients to access its services contains AWS keys, exposing all private customer data stored on the platform.
Another case is a third-party digital identity and authentication SDK used by several banking apps on iOS that included valid cloud credentials.
Due to this, all authentication data from all customers of those banks, including names, dates of birth, and even biometric digital fingerprint scans, were exposed in the cloud.
Finally, Symantec found a sports betting technology platform used by 16 online gambling apps, that exposed its entire infrastructure and cloud services with admin-level read/write permissions.
Why is this happening?
The issue with hard-coded and “forgotten” cloud service credentials is basically a supply chain problem, as the negligence of an SDK developer can impact an entire collection of apps and services that rely on it.
Mobile app development relies on ready-made components instead of creating everything from scratch, so if the app publishers don’t run a thorough check on the SDKs or libraries they use, a security risk is likely to propagate into their project.
As for developers hard-coding the credentials in their products, this is a matter of convenience during the development and testing process and skipping proper code review for security issues.
Referring to reasons why this is happening, Symantec highlights the following possibilities:
• Downloading or uploading assets and resources required for the app, usually large media files, recordings, or images
• Accessing configuration files for the app and/or registering the device and collecting device information and storing it in the cloud
• Accessing cloud services that require authentication, such as translation services
• No specific reason, dead code, and/or used for testing and never removed
Failing to remove these credentials when the software is ready to be deployed by clients is a matter of carelessness and the result of the absence of a checklist-based release process that includes security, too.