Over 1,800 Android and iOS apps discovered leaking hard-coded AWS credentials

Researchers have recognized 1,859 apps in Android and iOS that include hard-coded Amazon Internet Providers (AWS) credentials, a significant safety threat.

In a report shared with The Hacker Information, Symantec’s Risk Hunter group, part of Broadcom Software program, stated, “Three-quarters (77%) of apps include legitimate AWS entry tokens that enable entry to non-public AWS cloud providers.” Huh.”

Apparently, over 50% of the apps had been discovered to be utilizing the identical AWS tokens present in different apps created by different builders and corporations, highlighting the difficulty of provide chain with critical implications.

“The AWS entry token may be traced to a shared library, third-party SDK, or different shared part utilized in creating the app,” the researchers stated.

These credentials are usually used to obtain the suitable assets wanted for the app’s features, in addition to to entry configuration recordsdata and authenticate to different cloud providers.

To make issues worse, 47% of the recognized apps had legitimate AWS tokens, giving full entry to all non-public recordsdata and Amazon Easy Storage Service (S3) buckets within the cloud. This included infrastructure recordsdata, and information backup, amongst others.

In an instance uncovered by Symantec, an unnamed B2B firm providing an intranet and communications platform, which additionally offered a cellular software program growth equipment (SDK) to its clients, it added its SDK to entry the interpretation service. Cloud infrastructure was the keys.

This resulted within the show of the private info of all of its shoppers, together with company information and monetary data of greater than 15,000 medium- to large-sized corporations.

“As an alternative of limiting hard-coded entry tokens to make use of with the interpretation cloud service, anybody with the token had full entry to the entire B2B firm’s AWS cloud providers.”

5 iOS banking apps that relied on the identical AI Digital Id SDK had been additionally uncovered, together with cloud credentials, successfully leaking the fingerprint info of greater than 300,000 customers.

The cybersecurity agency stated it alerted organizations to issues they’re going through of their apps.

The event comes as CloudSec researchers revealed that 3,207 cellular apps are apparently exposing Twitter API keys, a few of which can be utilized to realize unauthorized entry to Twitter accounts linked to them.