AWS, Azure auth keys present in Android and iOS apps utilized by hundreds of thousands

A number of in style cellular functions for iOS and Android include hardcoded, unencrypted credentials for cloud companies like Amazon Net Providers (AWS) and Microsoft Azure Blob Storage, exposing consumer information and supply code to safety breaches.

Exposing one of these credentials can simply result in unauthorized entry to storage buckets and databases with delicate consumer information. Aside from this, an attacker might use them to control or steal information.

In line with a report from Symantec, a Broadcom firm, these keys are current within the apps’ codebases due to errors and unhealthy practices through the improvement part.

“Recent analysis has uncovered a troubling trend: several widely-used apps have been found to contain hardcoded and unencrypted cloud service credentials within their codebases,” Symantec explains.

“This dangerous practice means that anyone with access to the app’s binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to severe security breaches,” the researchers say.

Symantec says that its reasearchers discovered credentials to cloud companies within the following apps on Google Play:

  1. Pic Sew – 5M+ downloads – Amazon hardcoded credentials
  2. Meru Cabs – 5M+ downloads – Microsoft Azure Blob Storage hardcoded credentials
  3. Sulekha Business – 500K+ downloads – Microsoft Azure Blob Storage hardcoded credentials
  4. ReSound Tinnitus Aid – 500K+ downloads – Microsoft Azure Blob Storage hardcoded credentials
  5. Saludsa – 100K+ downloads – Microsoft Azure Blob Storage hardcoded credentials
  6. Chola Ms Break In – 100K+ downloads – Microsoft Azure Blob Storage hardcoded credentials
  7. EatSleepRIDE Motorbike GPS – 100K+ downloads – Twilio hardcoded credentials
  8. Beltone Tinnitus Calmer – 100K+ downloads – Microsoft Azure Blob Storage hardcoded credentials
Exposure of keys on Pic Stitch code
Publicity of keys on Pic Sew code
Supply: Symantec

Additionally they found credentials in a number of in style apps listed in Apple’s App Retailer:

  1. Crumbl – 3.9M+ scores – Amazon hardcoded credentials
  2. Eureka: Earn cash for surveys – 402.1K+ scores – Amazon hardcoded credentials
  3. Videoshop – Video Editor – 357.9K+ scores – Amazon hardcoded credentials
  4. Solitaire Conflict: Win Actual Money – 244.8K+ scores – Amazon hardcoded credentials
  5. Zap Surveys – Earn Straightforward Cash – 235K+ scores – Amazon hardcoded credentials
AWS credentials in Crumbl's codebase
AWS credentials in Crumbl’s codebase
Supply: Symantec

Whereas the App Retailer doesn’t report the variety of downloads, the quantity is often a lot greater than the quantity of scores listed.

It’s value noting that Google shows in Play Retailer the entire variety of downloads for the lifetime of the app and doesn’t replicate lively installations.

The presence of any of the apps above in your cellphone doesn’t imply that your private information has been stolen however that it’s accessible and hackers might exfiltrate it except builders take motion and take away the danger.

In September 2022, Symantec raised the alarm about this danger, highlighting that its researchers discovered greater than 1,800 iOS and Android apps that contained AWS credentials, 77% of the apps having legitimate entry tokens within the codebase.

The researchers advocate builders to comply with finest practices for safeguarding delicate info in cellular apps.

This consists of utilizing surroundings variables to retailer credentials, utilizing secrets and techniques administration instruments (e.g. AWS Secrets and techniques Supervisor, Azure Key Vault), encrypting information, common code critiques and audits, and combine automated safety scanning early within the improvement course of to detect delicate information or safety points.

Recent articles