More than 40 apps with over 100 million install leak AWS keys. Mobile Apps you install on your mobile phones are not always safe and secure.
CloudSEK recently came up with BeVigil, a platform that allows users to search and check app security ratings and other security issues before you install the app. It is a good way to explore the pitfalls and identify vulnerabilities on a large scale.
How BeVigil finds popular apps leaking AWS keys?
BeVigil a mobile app security search engine developed by CloudSEK analyzed over 10000 apps. It was able to spot AWS key leakage in major apps such as Adobe Photoshop Fix, Adobe Comp, Hootsuite, IBM’s Weather Channel, and online shopping services Club Factory and Wholee.
According to CloudSEK, AWS keys hardcoded into a mobile app source code can be an issue. Especially if its “Identity and Access Management” role has wide scope and permissions. This increases the chances of it being misused by bad actors who can chain the attacks and gain further access to the whole infrastructure. This also includes the code base and configurations.
Keeping the security risks in mind the security company has the responsibility to disclose the security concerns to AWS and the companies independently.
How does BeVigil work?
Being a mobile security search engine, security researchers can search app metadata, review their code, view security reports and Risk Scores, and even scan new APKs. With hackers using malicious codes to inject into SDK’s used by app developers, BeVigil can be used to identify these malicious apps that use malicious SDK’s
Security researchers can also carry out in-depth metadata searches on the web, this will enable them to carry out an in-depth investigation of various apps. In short, BeVigil is more like an antivirus tool for consumers and security researchers. You can find the scanning reports generated by BeVigil available for the entire CloudSEK community.
What Can BeVigil Search?
BeVigil is indeed a powerful tool that can search millions of apps for vulnerable code snippets or keywords to learn which app contains malicious codes. It helps researchers easily analyze quality data, correlate threats, and deal with false positives.
You can also search for other criteria apart from searching for a specific app such as
- From an organization.
- Above or below a certain security score; e.g., credit apps with a security score of 7.
- Released within a certain time period (select “from” and “to” dates); e.g., identify credit apps released in 2021.
- From 48 different categories such as finance, education, tools, health & fitness, etc.
- From a specific developer by searching with the developer’s email address.
- Developed in a specific country by searching; for example, identify banking apps from Germany.
- Developed in a specific location by searching with the pin code or developer email address.
- That record audio in the background.
- That record location in the background.
- That can access the camera device.
- That can access specific permission on your device.
- With a specific target SDK version.
Apart from this, you can also use Regexes to find apps with security vulnerabilities by looking for code patterns.