Over 1,800 iOS and Android Apps Contain Hardcoded AWS Credentials

Symantec Threat Hunter Team, part of Broadcom Software, has warned that mobile app developers often expose Amazon Web Services (AWS) credentials in their code, and such negligence could pose a threat to the entire supply chain.

In total, the researchers found 1,859 apps containing hard-coded credentials from AWS, the majority (98%) of which are iOS apps, while only 37 Android applications were found.

Approximately 77% of the applications studied contained valid access tokens for AWS, which can be used to directly access private cloud services. Moreover, 874 applications contained valid tokens for AWS, which could be used to access the cloud, where databases of running services containing millions of records are stored.

In their report, the analysts highlighted three clear examples of how an AWS token leak can have disastrous consequences for both the authors of a problematic application and users.

One example was an unnamed B2B company that provides intranet and communications services to more than 15,000 small and medium-sized businesses. The SDK that this company makes available to its customers to access the services contains AWS keys that reveal all of the customer’s personal data stored on the platform.

Another case is the SDK used for third-party digital identity and authentication, which is used by several iOS banking apps. Due to hard-coded credentials in the cloud, all the authentication information of all the customers of these banks (approximately 300,000 people) is available, including names, dates of birth, and even biometric data (fingerprints).

Symantec experts also discovered a vulnerable sports betting platform used by 16 online gambling applications. Due to a mistake by the developers, the platform exposed its entire infrastructure and cloud services, granting potential attackers read and write permissions at the administrator level.

At the end of the report, the researchers identified several reasons why developers make such miscalculations and leave valid tokens and credentials in the code:

1. downloading or uploading assets and resources required for the application to work (usually large media files, recordings or images);
2. access to application configuration files and/or device registrations, as well as collecting device information and storing it in the cloud;
3. access to cloud services that require authentication, such as translation services;
4. without a specific reason, the code has not been updated for a long time and/or used for testing, but has not been cleaned up properly.