Home>Blog>The Hacker News Headlines>Over 1,800 Android and iOS Apps Found Leaking Hard-Coded AWS Credentials
The Hacker News Headlines

Over 1,800 Android and iOS Apps Found Leaking Hard-Coded AWS Credentials

Android and iOS Apps

Researchers have identified 1,859 apps across Android and iOS
containing hard-coded Amazon Web Services (AWS) credentials, posing
a major security risk.

“Over three-quarters (77%) of the apps contained valid AWS
access tokens allowing access to private AWS cloud services,”
Symantec’s Threat Hunter team, a part of Broadcom Software, said in
a report[1]
shared with The Hacker News.

Interestingly, a little more than 50% of the apps were found
using the same AWS tokens found in other apps maintained by other
developers and companies, indicating a supply chain
vulnerability.

CyberSecurity

“The AWS access tokens could be traced to a shared library,
third-party SDK, or other shared component used in developing the
apps,” the researchers said.

These credentials are typically used for downloading appropriate
resources necessary for the app’s functions as well as accessing
configuration files and authenticating to other cloud services.

To make matters worse, 47% of the identified apps contained
valid AWS tokens that granted complete access to all private files
and Amazon Simple Storage Service (S3) buckets in the cloud. This
included infrastructure files, and data backups, among others.

In one instance uncovered by Symantec, an unnamed B2B company
offering an intranet and communication platform that also provided
a mobile software development kit (SDK) to its customers had its
cloud infrastructure keys embedded in the SDK for accessing the
translation service.

This resulted in the exposure of all of its customers’ private
data, which encompassed corporate data and financial records
belonging to over 15,000 medium-to-large-sized firms.

CyberSecurity

“Instead of limiting the hard-coded access token for use with
the translation cloud service, anyone with the token had full
unfettered access to all the B2B company’s AWS cloud services,” the
researchers noted.

Also uncovered were five iOS banking apps relying on the same AI
Digital Identity SDK that contained the cloud credentials,
effectively leaking more than 300,000 users’ fingerprint
information.

The cybersecurity firm said it alerted the organizations of the
issues uncovered in their apps.

The development comes as researchers from CloudSEK revealed that
3,207 mobile apps are exposing Twitter API keys[2] in the clear, some of
which could be utilized to gain unauthorized access to Twitter
accounts associated with them.

References

  1. ^
    report
    (symantec-enterprise-blogs.security.com)
  2. ^
    exposing
    Twitter API keys     (thehackernews.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.