According to research by Symantec, no less than 1,859 publicly available Android and iOS apps contain hard-coded AWS credentials. Unsafe mobile app development practices pave the way for such supply chain vulnerabilities.
AWS access tokens are active in approximately 77% (1,431) of these 1,859 applications, giving hackers access to AWS private cloud services. Additionally, nearly half of these applications (873) containing valid AWS access tokens provided access to private databases stored in Amazon S3 containing millions of data files and records.
The scenario is perfectly suited for threat actors to breach data and have a massive impact on user privacy and the security fabric of the entire mobile software supply chain. These databases are commonly leveraged by mobile application developers to store sensitive data including but not limited to communications, application logs, private customer/user data, etc.
Case studies conducted by Symantec Threat Hunter team researcher Kevin Watkins revealed that one such instance contained private authentication data and keys belonging to each banking and finance application. Personal data, including names, dates of birth, etc., and 300,000 digital biometric fingerprints, were leaked on five mobile banking apps using the SDK.
Watkins also discovered 16 online gaming applications that expose all cloud infrastructure and services across all AWS cloud services with full read/write root account credentials. As a result, their gaming operations, business data, and customer data are at risk.
Another case revealed that a company’s technology stack exposed all the files it had on its intranet for more than 15,000 medium and large enterprises, as well as customer company data, financial records and data. private to employees.
Each of these cases has one thing in common. The exposed companies in each case are exploiting vulnerable software development kits (SDKs), libraries, or any other technology stack from its technology vendor. For example, all 16 online gambling apps used a vulnerable library or outsourced their digital and online operations to B2B companies.
Similarly, all banking apps that exposed data used a vulnerable third-party AI Digital Identity SDK from a third-party vendor, which had cloud credentials embedded.
Learn more: Oracle faces class action lawsuit over collection, profiling and sale of 5B user data
Watkins wrote, “Imagine a business-to-business (B2B) business providing access to its service using a third-party SDK and embedding a hard-coded AWS access key, exposing not only the private data of the application using the third-party SDK, but also the private data of all applications using the third-party component. Unfortunately, this is not a rare occurrence.
Symantec, a Broadcom-owned company, pointed out that these risks arise directly from upstream mobile application developers using external software libraries and SDKs or outsourcing technology operations, which requires sharing data. user/customer without performing the necessary due diligence. As a result, downstream application and data security are severely hampered.
“We found that more than half (53%) of applications were using the same AWS access tokens found in other applications. Interestingly, these apps often came from different app developers and companies. This highlighted a supply chain vulnerability, and that’s exactly what we found. AWS access tokens could be traced to a shared library, third-party SDK, or other shared component used in application development,” Watkins said. Noted.
The software supply chain is one of the most serious targets, not to mention lucrative targets with the potential to cause significant damage. Just look at the software supply chain hack of SolarWinds Orion, an IT infrastructure monitoring and management platform widely used by US private and government organizations.
The month of December 2020 cyber espionage campaign under which SolarWinds customers using Orion were targeted was quite sophisticated. The Russian group Advanced Persistent Threat (APT) began preparing for it in March 2020.
However, based on evidence uncovered by Symantec, it is questionable whether it is as difficult to compromise the mobile software supply chain to breach data transmitted to and through mobile applications.
So why are mobile developers using hard-coded keys? Watkins and Symantec explained the following reasons:
- Applications need to download or upload items and resources (large media files, recordings, or images).
- To access application configuration files, register the device, collect device information, and store it in the cloud.
- To access cloud services that require authentication.
- Probably the most problematic: no specific reason, code dead and/or used for testing and never removed.
98% of mobile apps with hard-coded AWS credentials and therefore vulnerable to supply chain risks were for iOS. Symantec has notified all affected parties.