Flawed Android and iOS app developer practices could allow attackers to access private Amazon Web Services (AWS) credentials, researchers say.
Android and iOS were found to contain hard-coded AWS credentials, a flaw malicious actors could use to penetrate private databases, resulting in personal data loss and data breaches.
Researchers at Broadcom Software identified 1,859 publicly available apps with hardcoded AWS credentials. The vast majority of the apps, 98%, were iOS apps.
According to the recently published report, over three-quarters of apps had valid AWS access tokens that allow access to private AWS networks. Half of the apps with valid tokens gave full access to countless personal files via the Amazon Simple Storage Service (Amazon S3).
Databases of this kind often are filled with sensitive information such as user account details, registration data, app logs, and other details.
Supply chain vulnerability is the likeliest explanation for the prevalence of hard-coded functional credentials. 53% of apps used the same AWS access tokens, and researchers surmise that their origin could be linked to a shared library or software development kits (SDK) that developers often use.
In several cases, developers used an SDK with hard-coded AWS credentials in popular banking apps. Discovered by threat actors, the mistake could cost app developers gravely.
“Embedded in the SDK were cloud credentials that could place entire infrastructures at risk. The credentials could expose private authentication data and keys belonging to every banking and financial app using the SDK,” the report’s authors claim.
To make matters worse, access tokens allowed accessing a cloud database with users’ biometric digital fingerprint data, names, dates of birth, and other extremely sensitive data.
Another example points to a business-to-business (B2B) company that provides a communication platform to over 15,000 medium and large companies.
However, the SDK that the company provided its users with contained cloud infrastructure keys, exposing the data of every single customer. Researchers claim that the hard-coded AWS access token was left in so that users could access the AWS translation service.
“Instead of limiting the hard-coded access token for use with the translation cloud service, anyone with the token had full unfettered access to all the B2B company’s AWS cloud services,” the report’s authors said.
More from Cybernews:
Subscribe to our newsletter