Over 1,800 Android and iOS Apps Found Leaking Hard-Coded AWS Credentials

Products You May Like

Researchers have identified 1,859 apps across Android and iOS containing hard-coded Amazon Web Services (AWS) credentials, posing a major security risk.

“Over three-quarters (77%) of the apps contained valid AWS access tokens allowing access to private AWS cloud services,” Symantec’s Threat Hunter team, a part of Broadcom Software, said in a report shared with The Hacker News.

Interestingly, a little more than 50% of the apps were found using the same AWS tokens found in other apps maintained by other developers and companies, indicating a supply chain vulnerability.


“The AWS access tokens could be traced to a shared library, third-party SDK, or other shared component used in developing the apps,” the researchers said.

These credentials are typically used for downloading appropriate resources necessary for the app’s functions as well as accessing configuration files and authenticating to other cloud services.

To make matters worse, 47% of the identified apps contained valid AWS tokens that granted complete access to all private files and Amazon Simple Storage Service (S3) buckets in the cloud. This included infrastructure files, and data backups, among others.

In one instance uncovered by Symantec, an unnamed B2B company offering an intranet and communication platform that also provided a mobile software development kit (SDK) to its customers had its cloud infrastructure keys embedded in the SDK for accessing the translation service.

This resulted in the exposure of all of its customers’ private data, which encompassed corporate data and financial records belonging to over 15,000 medium-to-large-sized firms.


“Instead of limiting the hard-coded access token for use with the translation cloud service, anyone with the token had full unfettered access to all the B2B company’s AWS cloud services,” the researchers noted.

Also uncovered were five iOS banking apps relying on the same AI Digital Identity SDK that contained the cloud credentials, effectively leaking more than 300,000 users’ fingerprint information.

The cybersecurity firm said it alerted the organizations of the issues uncovered in their apps.

The development comes as researchers from CloudSEK revealed that 3,207 mobile apps are exposing Twitter API keys in the clear, some of which could be utilized to gain unauthorized access to Twitter accounts associated with them.

Cyber Security

Products You May Like

Articles You May Like

Realme’s Dizo Partners With Optiemus Electronics to Manufacture Smartwatches, Audio Wearables in India
Get Samsung Crystal 4K UHD TV at a Starting Price of Rs. 28,990 With Innovative Features Like One Billion True Colors, HDR10+, and Dolby Digital Plus
New Malware Campaign Targeting Job Seekers with Cobalt Strike Beacons
Adani Group to Invest $100 Billion in Renewable Energy, Data Centres Over Next Decade: All Details
Intel 13th Gen ‘Raptor Lake’ Desktop CPUs Launched, Including Core i9-13900K With 24 Cores

Leave a Reply

Your email address will not be published.