Source Code of Over 1800 Android and iOS Apps Gives Access to AWS Credentials

  • The Symantec Threat Hunter team has spotted 1859 apps across Android and iOS containing hard-coded Amazon Web Services (AWS) access tokens that permitted access to private AWS cloud services.

    Of all the apps analyzed by the security researchers, roughly 50% were seen using the same AWS tokens found in other apps (maintained by other developers and companies).

    “The AWS access tokens could be traced to a shared library, third-party software development kit (SDK), or other shared component used in developing the apps,” reads the advisory, which called the discovery a serious supply chain vulnerability.

    As for why app developers were using hard-coded access keys, Symantec said reasons included the necessity of downloading or uploading assets and resources required for the app (usually large media files), accessing configuration files for the app, and accessing cloud services that require authentication.

    The security team also shared findings related to specific case studies, related to an intranet platform, various iOS banking apps and an online gaming technology platform respectively. More information about each of them is available here.

    The Symantec Threat Hunter team concluded its advisory by providing a series of recommendations to help companies defect against this type of supply chain issues.

    “Adding security scanning solutions to the app development lifecycle and, if using an outsourced provider, requiring and reviewing Mobile App Report Cards, which can identify any unwanted app behaviors or vulnerabilities for every release of a mobile app, can all be helpful in highlighting potential issues,” wrote the team.

    “As an app developer, look for a report card that both scans SDKs and frameworks in your application and identifies the source of any vulnerabilities or unwanted behaviors.”

    For context, AWS technologies were also under the spotlight earlier this year when a Turkish airline accidentally leaked personal information of flight crew alongside source code and flight data due to a misconfigured AWS bucket.

    More recently, Amazon fixed a high-severity vulnerability in its Photos Android app.