- Cato Networks adds TLS inspection capabilities to SASE platform
- CISA Chief Jen Easterly Set to Step Down on January 20
- I still recommend the Samsung Galaxy Watch Ultra - and it's the lowest price I've seen
- A matter of time: 3 metrics that demonstrate the value of immersion cooling
- ‘Tis the season to innovate: Optimizing your contact center for the holidays
Source Code of Over 1800 Android and iOS Apps Gives Access to AWS Credentials
The Symantec Threat Hunter team has spotted 1859 apps across Android and iOS containing hard-coded Amazon Web Services (AWS) access tokens that permitted access to private AWS cloud services.
Of all the apps analyzed by the security researchers, roughly 50% were seen using the same AWS tokens found in other apps (maintained by other developers and companies).
“The AWS access tokens could be traced to a shared library, third-party software development kit (SDK), or other shared component used in developing the apps,” reads the advisory, which called the discovery a serious supply chain vulnerability.
As for why app developers were using hard-coded access keys, Symantec said reasons included the necessity of downloading or uploading assets and resources required for the app (usually large media files), accessing configuration files for the app, and accessing cloud services that require authentication.
The security team also shared findings related to specific case studies, related to an intranet platform, various iOS banking apps and an online gaming technology platform respectively. More information about each of them is available here.
The Symantec Threat Hunter team concluded its advisory by providing a series of recommendations to help companies defect against this type of supply chain issues.
“Adding security scanning solutions to the app development lifecycle and, if using an outsourced provider, requiring and reviewing Mobile App Report Cards, which can identify any unwanted app behaviors or vulnerabilities for every release of a mobile app, can all be helpful in highlighting potential issues,” wrote the team.
“As an app developer, look for a report card that both scans SDKs and frameworks in your application and identifies the source of any vulnerabilities or unwanted behaviors.”
For context, AWS technologies were also under the spotlight earlier this year when a Turkish airline accidentally leaked personal information of flight crew alongside source code and flight data due to a misconfigured AWS bucket.
More recently, Amazon fixed a high-severity vulnerability in its Photos Android app.
