SOCRadar® Cyber Intelligence Inc. | 1,800 Apps with Hardcoded AWS Credentials Show Supply Chain Risks


Sep 02, 2022
3 Mins Read

1,800 Apps with Hardcoded AWS Credentials Show Supply Chain Risks

More than 1,800 mobile applications have hardcoded AWS credentialsaccording to Symantec, which has issued a warning about the possible risks of poor security measures. 

An analysis of Android and iOS apps revealed that most apps with hard-coded credentials were created for iOS, while only 37 were created for Android.


Extent of the Problem 

It was discovered that 77% of applications contained working AWS access tokens that gave users access to private cloud services and that 47% of them also had tokens that gave users full access to multiple private files stored in the Amazon S3 storage service. More than half of the mobile applications used the same AWS access tokens used by other apps from separate developers. 

Exposure of credentials is not a brand-new problem, but the research sheds light on a potential supply chain issue.

What is the Cause? 

A component that is utilized by numerous developers, such as a third-party library or SDK, is frequently the problem’s root cause. While access keys are occasionally required to download or upload resources, configuration files or use cloud services, they may also occasionally be present in an application simply because the developer forgot them. 

The impact of the credentials’ exposure may be minimal if they are limited to a particular cloud service or asset. But occasionally, the developer might unintentionally use and expose an access token, putting all the data and storage of the company in danger. 

Symantec advises developers to look for report cards to scan SDKs and frameworks in their applications and any flaws. 

Possible Cases Concerning AWS 

Researchers from Symantec published several case scenarios. The first one involves a business-to-business company that offers an intranet platform accessible through a mobile SDK. 

The AWS token to access the AWS translation service was hardcoded into the SDK. The company’s AWS cloud services, including client and corporate data and files used by over 15,000 companies on the firm’s intranet, were also accessible with this token. 

Another case study involves using the same identity SDK by five well-known iOS banking apps. Every financial app that uses the SDK has private authentication data and keys made public by the SDK’s cloud credentials. 300,000 digital biometric fingerprints, personal information, infrastructure data, and source code were also exposed. 

Additionally, 16 online gambling applications were found using a vulnerable library, which exposed root account credentials that gave access to infrastructure and AWS cloud services.