Massive amounts of private data — including more than 300,000 biometric fingerprints used by five mobile banking apps — have been put at risk of theft due to hard-coded Amazon Web Services credentials, according to security researchers.
Symantec’s Threat Hunter team said it discovered 1,859 publicly available applications, Android and iOS, containing embedded AWS credentials. This means that if someone were to look inside the apps, they would have found the credentials in the code and could potentially use them to access Amazon-hosted servers and steal user data. The vast majority (98%) were iOS apps.
A total of 77% of these applications contained valid AWS access tokens that allowed access to private AWS cloud services, the intelligence team noted in a study released today.
Additionally, nearly half (47%) contained valid AWS tokens providing full access to sometimes millions of private files through Amazon S3 buckets. These hard-coded AWS access tokens would be easy to mine and exploit, and reflect a serious supply chain problem, said Dick O’Brien, editor of Symantec’s Threat Hunter team. The register.
We’re told that the creators of these apps may not have embedded the credentials themselves, or even know they are there: the tokens may have been introduced by a poorly designed software dependency.
“When you’re talking about mobile app development, most people don’t start from scratch,” O’Brien said.
Instead, developers rely on software libraries, software development kits (SDKs), and other third-party components that comprise the “building blocks that apps are made of,” he said. added.
“Each of them makes decisions about the security of a product that you end up providing to your customers. So a decision of, say, someone providing an SDK to put hard-coded credentials could potentially impact thousands of different applications, depending on how widely it is used.”
Not all apps scanned by threat hunters had a massive user base. But a deeper dive into some of the most interesting turned out “quite alarming,” O’Brien said. “What we saw, the profile of the applications and the nature of the companies that participated, would certainly make you think.”
Here are some examples of what the researchers found.
Exposed Sensitive Information
In one case, we are told, a B2B provider of intranet and communications services gave a mobile SDK to its customers so that they could access its platform. The SDK was found to contain the provider’s cloud infrastructure keys, which potentially exposed all of its customer data, including financial records, employee information and other information, which was stored on the platform. Data on more than 15,000 medium and large companies were exposed.
The SDK had a hard-coded AWS token to access an Amazon-powered translation service. However, this token granted full access to the vendor’s backend systems, rather than just the translation tool. “Instead of limiting the use of the hard-coded access token with the translation cloud service, anyone with the token had full and unfettered access to all of the B2B enterprise’s AWS cloud services,” wrote Kevin Watkins of Symantec.
In another example of what not to do in mobile app development: the Security Store found five iOS banking apps that used the same vulnerable AI digital identity SDK.
Using third-party software for the authentication component of an application is quite common.
As noted by Watkins: “The complexity of providing different forms of authentication, maintaining secure infrastructure, access and identity management can be expensive and requires expertise to properly do things.”
However, it can also lead to data leaks. In this case, the SDK included embedded credentials that exposed users’ biometric fingerprints used for authentication, along with names and birth dates. “Over 300,000 people’s fingerprints were exposed,” O’Brien said.
Apart from the banking customers’ personal information, the access key also exposed the server’s infrastructure and plans, including the API source code and the AI models used.
Finally, in a third example of mobile application supply chain risk, Symantec found 16 online gaming applications using a library of vulnerable software that, according to Watkins, “exposed complete infrastructure and cloud services across all AWS cloud services with full read/write root account credentials. .” Not a good look for the highly regulated sports betting industry.
The security firm said it informed all of these organizations about the flaws.
Why Applications Use Hard-Coded Access Keys
There are several reasons why these different applications are integrated into access keys. Some are legitimate: the application needs to download resources or access certain cloud services, such as the AWS translation service, which require authentication. Sometimes it is for a developer to use dead code or use software to test the application and not remove it before it goes into production.
“For the most part it’s driven by some ignorance of what you’re exposing,” O’Brien said. “By using credentials to access a resource in the cloud, you are then exposing anything that is accessible using those credentials. It’s probably a combination of a bit of ignorance and maybe from a bit of negligence on the part of the developers.”
Organizations can protect against these software supply chain vulnerabilities by following best practices for sharing and using cloud computing provider resources, he added.
“In particular, developers should never reuse cloud shares intended for user data with internal company data, and should ensure that all shares are properly locked down with permissions designed for stored data,” warned O’Brien. “Short-term keys limited to only the data and cloud services the application needs, nothing more, is the way to go.” ®