- Symantec identified 1,859 publicly available apps, both Android and iOS, containing hard-coded AWS credentials and almost all were iOS apps.
- Hard-coded cloud credentials is a type of vulnerability putting the app users’ privacy and their company and employer’s privacy and data at risk.
- Over three-quarters of the apps contained valid AWS access tokens allowing access to private AWS cloud services.
Symantec published a report that pinpoints a risk in supply chain issues. The research shows that supply chain vulnerabilities are often added by app developers, both knowingly and unknowingly. In most cases, developers are unaware of the security impacts on the app users’ privacy or even putting their companies at risk.
Mobile app supply chain
Symantec stated that supply chain issues can be included in mobile apps, which can cause serious security issues, some of them are:
- Mobile app developers unknowingly using vulnerable external software libraries and SDKs
- Companies outsourcing the development of their mobile apps, which then end up with vulnerabilities that put them at risk
- Companies, often larger ones developing multiple apps across teams, using cross-team vulnerable libraries in their apps
The researchers took a closer look at the publicly available apps in the global app collection that contained hard-coded Amazon Web Services (AWS) credentials and tried to understand why app developers hard-code cloud credentials inside apps and where the hard-coded credentials are located in the apps.
The team identified 1,859 publicly available apps, both Android and iOS, containing hard-coded AWS credentials. The results showed that 98% of these apps were iOS apps. Symantec also found:
- Over three-quarters (77%) of the apps contained valid AWS access tokens allowing access to private AWS cloud services
- Close to half (47%) of those apps contained valid AWS tokens that also gave full access to numerous, often millions, of private files via the Amazon Simple Storage Service (Amazon S3)
The researchers found that 53% of the apps were using the same AWS access tokens found in other apps. Interestingly, these apps were often from different app developers and companies, which is a supply chain vulnerability. The AWS access tokens could be traced to a shared library, third-party SDK, or other shared component used in developing the apps. When it comes to why developers are using hard-coded keys, the reasons are:
- Downloading or uploading assets and resources required for the app, usually large media files, recordings, or images
- Accessing configuration files for the app and/or registering the device and collecting device information and storing it in the cloud
- Accessing cloud services that require authentication, such as translation services, for example
- No specific reason, dead code, and/or used for testing and never removed
The company said,
« Protecting yourself from these types of supply chain issues is possible. Adding security scanning solutions to the app development lifecycle and, if using an outsourced provider, requiring and reviewing Mobile App Report Cards, which can identify any unwanted app behaviors or vulnerabilities for every release of a mobile app, can all be helpful in highlighting potential issues. As an app developer, look for a report card that both scans SDKs and frameworks in your application and identifies the source of any vulnerabilities or unwanted behaviors. »