More than 1,800 Android and iOS apps have been found to contain hard-coded Amazon Web Services (AWS) credentials presenting a serious security risk.
Security researchers at Symantec, a division of Broadcom, have analyzed a collection of apps that have AWS credentials embedded within and found that 77% of them contained valid AWS access tokens allowing access to private AWS cloud services, and nearly half of the app (47%) contained valid AWS tokens that also gave full access to numerous private files via the Amazon Simple Storage Service (Amazon S3).
It was also found that 53% of the apps (often from different app developers and companies) were using the same AWS access tokens found in other apps, indicating a supply chain vulnerability.
“The AWS access tokens could be traced to a shared library, third-party SDK, or other shared component used in developing the apps,” the researchers wrote.
The research showed that hard-coded access keys in the apps were used for downloading or uploading assets and resources required for the app (large media files, recordings, or images); accessing configuration files for the app and/or registering the device and collecting device information and storing it in the cloud; accessing cloud services that require authentication, such as translation services. In some cases there was no specific reason for using hard-coded keys, or they were used for testing and never removed.
In one instance an unnamed business-to-business (B2B) company providing an intranet and communication platform had also provided a mobile SDK that allowed access the platform, which contained the company’s cloud infrastructure keys, exposing employees and customer data, including customers' corporate data, financial records, and employees' private data. All the files the company used on its intranet for over 15,000 medium-to-large-sized companies were also exposed.
The researchers also discovered several iOS banking apps using the same vulnerable third-party AI Digital Identity SDK that contained cloud credentials that could expose private authentication data and keys belonging to every banking and financial app using the SDK. In total, over 300,000 biometric digital fingerprints were leaked across five mobile banking apps using the SDK.
In addition, Symantec found 16 different online gambling apps using the vulnerable library exposed full infrastructure and cloud services across all AWS cloud services with full read/write root account credentials.
All the affected companies have been informed of the security issue, the researchers said.