Hard coded AWS Credentials found in mobile apps
Researchers have discovered 1,859 Android and iOS apps containing hard-coded AWS credentials that allowed access to private cloud services.
98% apps containing hard-coded iOS apps, this is a trend that the researchers have been tracking for years. 47% of these apps contained valid AWS tokens that granted complete access to all private files, including backups, and Amazon S3 buckets in the cloud.
53% of the apps were using the same AWS access tokens found in other apps developed by the same team or company. This suggests AWS access tokens are often exposed through shared library, third party SDK, or other shared components used by the development teams.
The researchers also provided details about an unnamed B2B company offering an intranet and communication platform that also provided a mobile SDK to its customers. The problem is that the SDK included cloud infrastructure keys embedded used to access the translation service.
The result is that the files of the company used on its intranet for over 15,000 medium-to-large-sized companies were exposed along with customers’ corporate data, financial records, and employees’ private data.
The experts also found several popular iOS banking apps using the same third-party AI Digital Identity SDK that embedded the same cloud credentials, posing the entire infrastructures at risk.
These credentials are typically used for downloading appropriate resources necessary for the app’s functions as well as accessing configuration files and authenticating to other cloud services.
Researchers discovered 16 different online gambling apps using the vulnerable library exposed full infrastructure and cloud services across all AWS cloud services. The issue could allow a third party to achieve full read/write root account credentials.
This research was done by researchers from Broadcom Symantec and notified the organizations behind those vulnerable apps about the issues.