A huge amount of private data, including more than 300,000 biometric digital fingerprints used in five mobile banking apps, is at risk of being stolen because of hard-coded Amazon Web Services credentials, security researchers say.
The Symantec Threat Hunter Team reported discovering 1,859 publicly available apps, both Android and iOS, with AWS credentials entered. This means that if someone looked inside the apps, they would have found the credentials in the code and could use them to access the Amazon-hosted app servers and steal user data. The vast majority (98%) were iOS apps.
A total of 77 percent of these applications had valid AWS access tokens to access private AWS cloud services, the intelligence team noted in a study released today.
Additionally, nearly half (47 percent) had valid AWS tokens, giving full access to sometimes millions of private files via Amazon S3 buckets. These hard-coded AWS access tokens would be easy to extract and exploit and represent a serious problem in the supply chain, said Dick O’Brien, managing editor of the Symantec Threat Hunter team. Registry.
We’re told that the developers of these apps may not have included the credentials themselves, or may not have even known they were there: the tokens may have been introduced by a poorly designed software dependency.
“When you’re talking about building mobile apps, most people aren’t starting from scratch,” O’Brien said.
Instead, developers rely on software libraries, software development kits (SDKs) and other third-party components that make up the “building blocks of applications,” he added.
“Each of them makes decisions about the security of the product that you end up delivering to your customers. So, say, the decision of the person who provided the SDK to introduce hard-coded credentials could affect thousands of different applications, depending on how widely it’s used.”
Not all of the apps analyzed by threat explorers had huge user bases. But a deeper dive into some of the more interesting ones turned out to be “quite disturbing,” O’Brien said. “What we’ve seen, the profile of the programs and the nature of the companies involved, will certainly be disruptive.”
Here are some examples of what researchers have found.
Sensitive information exposed
In one case, a B2B intranet and communications service provider issued a mobile SDK to its customers to access their platform. The SDKs turned out to be keys to the provider’s cloud infrastructure, which could expose all customer data stored on the platform, including financial records, employee information and other information. More than 15,000 medium and large companies were exposed.
The SDK had an AWS token hardcoded to access the translation service provided by Amazon. However, this token gave full access to the vendor’s backend systems, not just the translation tool. “Instead of restricting an encrypted token to use with the translation cloud service, anyone with the token had full unfettered access to all of the B2B company’s AWS cloud services,” wrote Symantec’s Kevin Watkins.
Another example of what not to do in mobile app development: Security Store found five iOS banking apps that used the same vulnerable AI digital identity SDK.
Using third-party software for the authentication component of an application is quite common.
As Watkins noted, “The complexity of providing multiple forms of authentication, maintaining a secure infrastructure, and managing access to identities can be expensive and require expertise to get right.
However, it can also lead to data leakage. In this case, the SDK included embedded credentials that exposed users’ biometric digital fingerprints used for authentication, along with names and dates of birth. “Over 300,000 people’s fingerprints were exposed,” O’Brien said.
In addition to the bank’s customers’ personal information, the token also exposed the server’s infrastructure and blueprints, including API source code and the AI models used.
Finally, in a third example of mobile application supply chain risk, Symantec found 16 online gambling applications using a vulnerable software library that, according to Watkins, “exposed all infrastructure and cloud services across all AWS cloud services with all read/write root account credentials.” “. Not a bad look for the highly regulated sports betting industry.
The security company reported the flaws to all of these organizations.
Why do apps use encrypted tokens?
There are several reasons why these different programs are included in access keys. Some are legitimate: the app needs to download resources or access certain cloud services, such as the AWS translation service, that require authentication. Sometimes a developer uses dead code or uses software to test an application and not remove it before it goes into production.
“A lot of it comes down to not knowing what you’re exposing yourself to,” O’Brien said. “When you use credentials to access one resource in the cloud, you expose everything else that’s accessed using those credentials.” It’s probably a bit of ignorance and maybe a bit of negligence on the part of the developers. “
He added that organizations can protect themselves from these software supply chain weaknesses by following best practices for sharing and using cloud IT provider resources.
“Developers should never reuse cloud shares for user data with internal enterprise data and should ensure that all parts are properly locked down with permissions for data at rest,” O’Brien warned. “Short-term keys, limited to only the data and cloud services that the application needs, are the way to go.” ®