Researchers have identified 1,859 apps across Android and iOS containing hard-coded Amazon Web Services (AWS) credentials, posing a major security risk.
“Over three-quarters (77%) of the apps contained valid AWS access tokens allowing access to private AWS cloud services,” Symantec’s Threat Hunter team, a part of Broadcom Software, said in a report shared with The Hacker News.
Interestingly, a little more than 50% of the apps were found using the same AWS tokens found in other apps maintained by other developers and companies, highlighting a supply chain issue with serious implications.
“The AWS access tokens could be traced to a shared library, third-party SDK, or other shared component used in developing the apps,” the researchers said.
These credentials are typically used for downloading appropriate resources necessary for the app’s functions as well as accessing configuration files and authenticating to other cloud services.
To make matters worse, 47% of the identified apps contained valid AWS tokens that granted complete access to all private files and Amazon Simple Storage Service (S3) buckets in the cloud. This included infrastructure files, and data backups, among others.
In one instance uncovered by Symantec, an unnamed B2B company offering an intranet and communication platform that also provided a mobile software development kit (SDK) to its customers had its cloud infrastructure keys embedded in the SDK for accessing the translation service.
This resulted in the exposure of all of its customers’ private information, which encompassed corporate data and financial records belonging to over 15,000 medium-to-large-sized firms.
“Instead of limiting the hard-coded access token for use with the translation cloud service, anyone with the token had full unfettered access to all the B2B company’s AWS cloud services,” the researchers noted.
Also uncovered were five iOS banking apps relying on the same AI Digital Identity SDK that contained the cloud credentials, effectively leaking more than 300,000 users’ fingerprint information.
The cybersecurity firm said it alerted the organizations of the issues uncovered in their apps.
The development comes as researchers from CloudSEK revealed that 3,207 mobile apps are exposing Twitter API keys in the clear, some of which could be utilized to gain unauthorized access to Twitter accounts associated with them.