1,859 Mobile Apps, Mostly iOS, Found Storing Hard-Coded Credentials for AWS Databases

According to research from Symantec, as many as 1,859 publicly available Android and iOS apps contain hard-coded AWS credentials. The unsafe mobile application development practices are paving the way for such supply chain vulnerabilities.

AWS access tokens are active in around 77% (1,431) of these 1,859 apps, which makes it possible for threat actors to access private AWS cloud services. Additionally, almost half of these apps (873) containing valid AWS access tokens provided access to private databases stored in Amazon S3 containing millions of files and data records.

The scenario is ideally suited for threat actors to breach data and have a far-reaching impact on the privacy of users and the security fabric of the entire mobile software supply chain. Such databases are usually leveraged by mobile app developers to store sensitive data, including but not limited to communication, app logs, private customer/user data, etc.

Case studies undertaken by Symantec Threat Hunter Team researcher Kevin Watkins revealed one such instance contained private authentication data and keys belonging to every banking and financial app. Personal data, including the names, dates of birth, et al., and 300,000 digital biometric fingerprints, were leaked across five mobile banking apps using the SDK.

Watkins also came across 16 online gambling apps that expose the entire infrastructure and cloud services across all AWS cloud services with full read/write root account credentials. As a result, their gaming operations, business data, and customer data are at risk.

Yet another case revealed that a company’s tech stack exposed all files it had on its intranet for more than 15,000 medium-to-large-sized companies, as well as customers’ corporate data, financial records, and employees’ private data.

Each of these cases has one thing in common. Companies exposed in each case leverage vulnerable software development kits (SDKs), libraries, or any other tech stack from its tech provider. For example., the 16 online gambling apps were using a vulnerable library or outsourced their digital and online operations to B2B companies.

Similarly, all banking apps that exposed data were…