Android and iOS mobile apps for thousands of customers, including banking apps, contain hardcoded Amazon Web Services (AWS) credentials that enable cyber attackers to steal sensitive information from corporate clouds It turned out that
Symantec researchers found 1,859 business apps that use hardcoded AWS credentials, specifically access tokens. Of these, three-quarters (77%) contain valid AWS access tokens to log into private AWS cloud services. Nearly half (47%) also contained valid AWS access tokens to decrypt millions of private files stored in Amazon Simple Storage Service (Amazon S3) buckets.
This means that users of malicious apps can easily extract tokens, join the data theft race, and take advantage of the cloud resources of the company that created the application.
thank you mobile software supply chain
The unfortunate situation is due to problems in the mobile code supply chain, say Symantec researchers. A vulnerable component allows developers to embed hardcoded access tokens.
“We found that more than half (53%) of apps are using the same AWS access token as other apps,” they said in Thursday’s analysis. “Interestingly, these apps were often from different app developers and companies. [Eventually] AWS access tokens can be traced to shared libraries, third-party SDKs, or other shared components used to develop your app. ”
The company found these shared, hardcoded AWS tokens being used by internal app developers for a variety of reasons. Access to the app’s configuration files. Collecting and storing user device information. Or access individual cloud services that require authentication, such as translation services. However, the reach of tokens to the cloud is often much greater than developers realize.
According to the analysis, “The problem is that often the same AWS access token exposes all files and buckets in the Amazon S3 cloud, often corporate files, infrastructure files and components, database backups, etc. “Not to mention cloud services other than Amazon S3 that can be accessed using the same AWS access token.”
As an example, one of the apps our analysis revealed was created by a B2B company that provides an intranet and communication platform. We also provide a mobile software development kit (SDK) that customers use to access the platform.
“Unfortunately, the SDK also contained the B2B company’s cloud infrastructure key, exposing all the customer’s personal data on the B2B company’s platform,” Symantec researchers noted, adding that the vulnerable It added that it has notified all organizations using the app of the issue. “The corporate data of their customers, their financial records, and the personal data of their employees were exposed. All the files the company used on the intranets of his more than 15,000 medium to large enterprises were also exposed. I did.”
The same situation was true for a set of mobile banking apps on iOS that used the AI Digital Identity SDK for authentication. The SDK includes AWS tokens that can be used to access private authentication data and keys belonging to all banking and financial apps that use it, as well as biometric digital fingerprints of 300,000 bank users used for authentication, and Other personal data (name, date of birth) are incorporated. , more).
Symantec researchers conclude that “Apps that use hardcoded AWS access tokens are vulnerable, active, and pose serious risks.” “[And] This is not uncommon. ”
Avoid cloud breaches with mobile apps
According to StackHawk co-founder and CSO Scott Gerlach, organizations can take steps to ensure that the apps they build for their customers don’t unknowingly provide an avenue for cyber espionage. .
“Adding DevSecOps tools like Secret Scan to your continuous integration/continuous development pipeline (CI/CD) can help you find these types of secrets as you build software,” he said in a statement. I’m here. “And it’s important to understand how to manage and securely provision AWS and other API keys/tokens to prevent unauthorized access.”
According to Delinea cybersecurity evangelist Tony Goulding, from a design perspective, developers often replace hard-coded credentials with API calls to repositories or software-as-a-service (SaaS) vaults or temporary tokens. You can also use
“[That way] They can retrieve credentials or keys in real time that are not kept on the device, app or local configuration file,” he said in a statement. “Another approach is to use the AWS STS service to provision temporary tokens to grant access to AWS resources. They are similar to their siblings: once they expire, AWS no longer recognizes them as valid, preventing unauthorized API requests using that token.”
