Experts find hard-coded AWS credentials
Experts have found 1,859 applications across Android and iOS that contain hard-coded Amazon Web Services (AWS) credentials, becoming a major security threat. More than 77% of the apps contain valid AWS access tokens that allow access to private AWS cloud services.
Mobile apps may contain vulnerabilities in the supply chain that can potentially cause exposure to sensitive data, which can be used by hackers for other attacks. Supply chain vulnerabilities in mobile apps are often added by app developers, intentionally or unintentionally.
The developers don't know the downside of the security impacts, putting the app users' privacy, as well as the employer and organizations' privacy at risk too.
Source of the Problem
Researchers at Broadcom Software looked into why and where exactly the AWS access tokens were inside the applications, and whether present in other apps too. They found over half (53%) of the apps were using the same AWS access tokens found in other apps.
These apps, interestingly, were from different app developers and organizations. This way, the experts found a supply chain vulnerability, it could be traced to a shared library, third-party SDK, or other shared components used in making the apps.
Why app developers are using hard-coded access keys?
- Downloading or uploading assets and resources needed for the applications, generally large media files, images, or recordings.
- To access configuration files for the app and/or register the device or get device info for cloud storage.
- Access cloud services that need authentication, like translation services.
- For no particular reason, the dead code was used for testing and never removed.
In one incident discovered by Symantec, an unknown B2B company that offers an intranet and communication platform and also provides a mobile software development kit (SDK) to its customers had its cloud infrastructure keys embedded in the SDK to access the translation service.
It led to the leak of all of its customers' personal information- corporate data and financial records that belonged to more than 15000 medium to large-sized firms.
How can users stay safe from supply chain attacks?
It is possible to protect yourself from supply chain issues, one can add security scanning solutions to the app development lifecycle and if using an outsourced provider, you can review Mobile App Report Cards, which can notice any malicious app behaviors or vulnerabilities for every launch of the mobile app, can all be helpful in to highlight potential issues.
If you're an app developer, you can look for a report card that both scans SDKs and frameworks in your apps and finds the source of any vulnerabilities or suspicious behaviors.
