Android and iOS Apps Found Leaking Hard-Coded AWS Credentials
Reading Time: 2 minutes

Researchers have discovered more than 1800 Android and iOS apps contain hard-coded Amazon Web Services credentials and pose a significant security risk.

According to the Symantec’s Threat Hunter teams report, a part of Broadcom Software, “Over three-quarters (77%) of the apps contained valid AWS access tokens allowing access to private AWS cloud services.”

When 50% of the apps used the same AWS tokens found in other apps, it became clear that this was a supply chain vulnerability.

Developers of these apps used a shared library or third-party SDK, so it is impossible to identify the user who obtained AWS access tokens.

App credentials are used to access necessary resources and files, as well as provide authentication.

47% of the identified apps contain valid AWS tokens, granting complete access to all private files and Amazon Simple Storage Service (S3) buckets in the cloud. This includes infrastructure files, and data backups, among others.

In one instance, an intranet and communication platform also installed a mobile SDK. Common enough with many companies like this. However, such a company also provided translation services to its customers. When presenting customers with the SDK, they were given access to the customer’s cloud infrastructure keys.

An AI exposed customers’ private data. The data included corporate records, which belonged to over 15,000 medium-to-large businesses.

Some company’s access may be limited by a token in their translation service. However, this token was left open to anyone.

iOS banking apps were also found to be vulnerable because they used the same AI Digital Identity SDK. Clients with this Digital ID SDK have their fingerprint data at risk of being leaked.

The cybersecurity company uncovered issues in some of the apps with their clients, and outlined them.

3,207 mobile apps contain security vulnerabilities that may be used to gain unauthorized access to Twitter accounts. The flaws have been found as a result of research from CloudSEK.

Related Articles:
Microsoft Uncovers Severe ‘One-Click’ Exploit for TikTok Android App
Interpol Says We Can’t Arrest Our Way out of Cybercrime
Twilio Breach Compromised Authy Two-Factor Accounts of Some Users