Researchers found one thousand eight hundred fifty-nine (1,859) Android and iOS applications to include hard-coded Amazon Web Services (AWS) credentials, posing a severe security risk. Symantec’s Threat Hunter team, a part of Broadcom Software, stated in a report that “over three-quarters (77%) of the apps contained valid AWS access tokens allowing access to private AWS cloud services.”
A supply chain vulnerability was discovered in 50 percent of the apps, which were found to use the same AWS tokens as other apps maintained by other developers and businesses. According to the researchers, the shared libraries, third-party SDKs, and other components used in the development of the apps might be employed to determine the AWS access tokens.
These credentials are often needed to access configuration files, download the essential resources for the app’s functionalities, and log in to other cloud services. The situation was made worse by the fact that 47% of the applications had legitimate AWS tokens that allowed full access to all personal files and cloud Amazon Simple Storage Service (S3) buckets. This comprised infrastructure files and data backups, among other things.
A B2B firm that offered an intranet and communication platform, as well as a mobile software development kit (SDK) to its clients, had its cloud infrastructure keys encoded in the SDK for accessing the translation service in one case that Symantec discovered. All of its clients’ confidential information was exposed as a result, including business information and financial records from more than 15,000 medium- to large-sized companies.
“Instead of limiting the hard-coded access token for use with the translation cloud service, anyone with the token had full unfettered access to all the B2B company’s AWS cloud services,” noted the researchers.
The same AI Digital Identity SDK that included the cloud credentials was also found to be used by five iOS banking applications, which resulted in the loss of more than 300,000 individuals’ fingerprint data. According to the cybersecurity company, it informed the firms of the problems found in their apps. The development follows the disclosure by CloudSEK researchers that 3,207 mobile applications are publishing their Twitter API keys in the open, some of which might be used to access Twitter accounts linked to them without authorization.