Over 1,000 iOS apps were discovered to have hardcoded AWS credentials
Mobile app developers are using risky tactics that expose Amazon Web Services (AWS) credentials, rendering the supply chain exposed, according to security researchers. Malicious actors could use this to get access to private databases, resulting in data breaches and the exposure of customers’ personal information.
Researchers at Symantec’s Threat Hunting team, part of Broadcom Software, found 1,859 applications containing hard-coded AWS credentials, most of them being iOS apps and just 37 for Android.
Approximately 77% of those applications had valid AWS access tokens that could be used to gain direct access to private cloud services. Furthermore, 874 applications possessed legitimate AWS tokens, which hackers might use to get access to cloud instances having live-service databases containing millions of entries. Depending on the type of program, these databases generally hold user account credentials, logs, internal communication, registration information, and other sensitive data.
In their research, the threat experts identify three significant examples in which the exposed AWS tokens may have had disastrous effects for both the developers and users of the vulnerable apps. A business-to-business (B2B) company that provides intranet and communication services to over 15,000 medium-to-large businesses is one example.
The company’s software development kit (SDK) for accessing its services exposes AWS keys, exposing all private customer data stored on the platform. A third-party digital identity and authentication SDK used by various banking apps on iOS that contains genuine cloud credentials is another example. As a result, all authentication data from those banks’ customers, including names, dates of birth, and even biometric digital fingerprint scans, was exposed in the cloud. Finally, Symantec discovered a sports betting technology platform that was used by 16 online gambling apps and exposed its whole infrastructure and cloud services with admin-level read/write access.
The problem of hard-coded and “forgotten” cloud service credentials is really a supply chain issue, as an SDK developer’s irresponsibility might affect a whole collection of apps and services that rely on it. Because mobile app development relies on pre-made components rather than generating everything from scratch, if app publishers do not thoroughly vet the SDKs or libraries they employ, a security risk is likely to infiltrate their project.
Developers hard-coding credentials in their products do so for convenience throughout the development and testing process, as well as to avoid adequate code inspection for security vulnerabilities.