According to research from Symantec, as many as 1,859 publicly available Android and iOS apps contain hard-coded AWS credentials. The unsafe mobile application development practices are paving the way for such supply chain vulnerabilities.
AWS access tokens are active in around 77% (1,431) of these 1,859 apps, which makes it possible for threat actors to access private AWS cloud services. Additionally, almost half of these apps (873) containing valid AWS access tokens provided access to private databases stored in Amazon S3 containing millions of files and data records.
The scenario is ideally suited for threat actors to breach data and have a far-reaching impact on the privacy of users and the security fabric of the entire mobile software supply chain. Such databases are usually leveraged by mobile app developers to store sensitive data, including but not limited to communication, app logs, private customer/user data, etc.
Case studies undertaken by Symantec Threat Hunter Team researcher Kevin Watkins revealed one such instance contained private authentication data and keys belonging to every banking and financial app. Personal data, including the names, dates of birth, et al., and 300,000 digital biometric fingerprints, were leaked across five mobile banking apps using the SDK.
Watkins also came across 16 online gambling apps that expose the entire infrastructure and cloud services across all AWS cloud services with full read/write root account credentials. As a result, their gaming operations, business data, and customer data are at risk.
Yet another case revealed that a company’s tech stack exposed all files it had on its intranet for more than 15,000 medium-to-large-sized companies, as well as customers’ corporate data, financial records, and employees’ private data.
Each of these cases has one thing in common. Companies exposed in each case leverage vulnerable software development kits (SDKs), libraries, or any other tech stack from its tech provider. For example., the 16 online gambling apps were using a vulnerable library or outsourced their digital and online operations to B2B companies.
Similarly, all banking apps that exposed data were using a vulnerable third-party AI Digital Identity SDK from a third-party provider, which had embedded cloud credentials.
See More: Oracle Faces Class-Action Lawsuit for Collecting, Profiling, and Selling the Data of 5B Users
Watkins wrote, “Imagine a business-to-business (B2B) company providing access to its service using a third-party SDK and embedding an AWS hard-coded access key, exposing not only the private data of the app using the third-party SDK, but also the private data of all apps using the third-party component. Unfortunately, this is not an uncommon occurrence.”
Symantec, a Broadcom-owned company, pointed out that these risks directly result from upstream mobile app developers using external software libraries and SDKs or outsourcing technology operations, which requires sharing user/customer data without performing the necessary due diligence. As a result, the downstream app and data security are severely hampered.
“We discovered that over half (53%) of the apps were using the same AWS access tokens found in other apps. Interestingly, these apps were often from different app developers and companies. This pointed at a supply chain vulnerability, and that’s exactly what we found. The AWS access tokens could be traced to a shared library, third-party SDK, or other shared component used in developing the apps,” Watkins noted.
The software supply chain is one of the more serious, not to mention lucrative targets with the potential to cause extensive damage. Just look at the software supply chain hack of SolarWinds Orion, an IT infrastructure monitoring and management platform used extensively by private and U.S. government organizations.
The December 2020 cyber espionage campaign under which SolarWinds clients using Orion were targeted was quite sophisticated. The Russia-based Advanced Persistent Threat (APT) group began preparing for it as early as March 2020.
However, based on the evidence unearthed by Symantec, it is doubtful whether compromising the mobile software supply chain to breach the data fed to and by the mobile apps would be as challenging.
So why are mobile developers using hard-coded keys? Watkins and Symantec outlined the following reasons:
- The apps need to download or upload assets and resources (large media files, recordings, or images ).
- To access configuration files for the app, register the device, collect device information and store it in the cloud.
- To access cloud services that require authentication.
- Probably the most problematic: no specific reason, dead code, and/or used for testing and never removed.
A whopping 98% of the mobile apps with hard-coded AWS credentials and thus vulnerable to supply chain risks were for iOS. Symantec has notified all impacted parties.