Mobile application developers are using unsafe procedures that expose Amazon Web Services (AWS) credentials, endangering the supply chain, according to security experts.
This might be used by malicious actors to gain access to private databases, resulting in data breaches and the exposing of consumers’ personal information.
Severity Of The Issue :
1,859 apps with hard-coded AWS credentials were discovered by Symantec’s Threat Hunting team, a division of Broadcom Software, with just 37 apps for Android.
AWS access tokens that might be utilised to gain direct access to private cloud services were present in about 77% of those applications.
AWS tokens that are still valid in 874 applications allowed hackers to access cloud instances hosting active databases with millions of entries.
Depending on the type of programme, these databases frequently contain user account information, logs, internal communications, registration information, and other sensitive data
Real-World Examples:
The threat experts identify three significant situations in their research where the exposed AWS tokens may have had devastating effects for both authors and users of the vulnerable apps.
One illustration is a business-to-business (B2B) organisation that offers communication and intranet services to more than 15,000 medium- to large-sized businesses.
The firm exposed all private customer data stored on the platform by including AWS keys in the software development kit (SDK) it gave customers to access its services.
A third-party digital identity and authentication SDK that was utilised by a number of banking apps for iOS and had legitimate cloud credentials is a another example.
As a result, all identification information from every client of those institutions was exposed in the cloud, including names, dates of birth, and even biometric digital fingerprint scans.
Finally, Symantec discovered a sports betting technology platform utilised by 16 online gambling applications that had admin-level read/write access to its complete infrastructure and cloud services.
What’s going on and why?
Because the carelessness of one SDK developer may have an effect on a vast array of applications and services that depend on it, the issue with hard-coded and “forgotten” cloud service credentials is essentially one of supply chain management.
Instead of building everything from scratch, mobile app development relies on pre-made components, thus if the app publishers don’t thoroughly vet the SDKs or libraries they use, a security risk is likely to spread into their project.
Developers that hard code credentials into their products do so out of convenience during the development and testing phases and to avoid doing a thorough code check for security flaws.
The following explanations are suggested by Symantec as potential causes of this:
- Downloading or uploading the app’s necessary assets and resources, often big media files, audio, or photos.
- Accessing the app’s configuration files, registering the device, and gathering and storing device data on the cloud.
- Using authentication to access cloud services, such as translation services.
- No specified reason, dead code, or code that was used for testing but was never removed.
Carelessness and a lack of a checklist-based release procedure that incorporates security are the causes of failing to delete these credentials when the product is prepared for client deployment.