Published on Sep 02, 2022
A total of 1,859 apps across Android and iOS contain hard-coded Amazon Web Services (AWS) credentials, posing a major security threat.
In a report shared with The Hacker News, Symantec’s Threat Hunter team, a part of Broadcom Software, said that over three-quarters (77%) of the apps contained valid AWS access tokens.
It was found that over 50% of the apps used the same AWS tokens found in other apps maintained by other developers and companies, highlighting a serious supply chain issue.
AWS access tokens could be traced to a shared library, third-party SDK, or another shared component, the researchers reported.
Credentials are typically used for downloading resources necessary to perform the app’s functions, accessing configuration files, and authenticating to other cloud services.
To make matters worse, 47% of the identified apps contained valid AWS tokens, granting complete access to all private files and S3 buckets. Among these were infrastructure files and data backups.
Symantec discovered that an unnamed B2B company offering an intranet and communication platform that offered a mobile software development kit (SDK) to its customers had embedded its cloud infrastructure keys into the SDK.
The company exposed all its customers’ private information, including corporate data and financial records belonging to over 15,000 medium- to large-sized companies.
Researchers found that rather than limiting the hard-coded token to use with the translation cloud service, anyone with the token had access to all of the B2B company’s AWS services.
Also exposed were five iOS banking apps that used the same AI Digital Identity SDK that contained the cloud credentials, effectively leaking information about 300,000 users’ fingerprints.
The cybersecurity firm notified the organizations about the issues uncovered in their apps.
Researchers from CloudSEK revealed that 3,207 mobile apps expose Twitter API keys in the open, some of which can be used to access Twitter accounts associated with the apps.
