- 마이크로소프트가 패브릭 내에서 데이터와 AI를 통합하는 이유
- 레드햇, AI 포트폴리오 대규모 업데이트…엔터프라이즈 배포 유연성 확대
- I recommend this cordless stick vacuum over my Dyson - and it's on sale
- I tested a smart cooler and can never go back to toting ice (especially for $100 off)
- This wireless portable speaker delivers amazingly smooth sound with little distortion
Source Code of Over 1800 Android and iOS Apps Gives Access to AWS Credentials
The Symantec Threat Hunter team has spotted 1859 apps across Android and iOS containing hard-coded Amazon Web Services (AWS) access tokens that permitted access to private AWS cloud services.
Of all the apps analyzed by the security researchers, roughly 50% were seen using the same AWS tokens found in other apps (maintained by other developers and companies).
“The AWS access tokens could be traced to a shared library, third-party software development kit (SDK), or other shared component used in developing the apps,” reads the advisory, which called the discovery a serious supply chain vulnerability.
As for why app developers were using hard-coded access keys, Symantec said reasons included the necessity of downloading or uploading assets and resources required for the app (usually large media files), accessing configuration files for the app, and accessing cloud services that require authentication.
The security team also shared findings related to specific case studies, related to an intranet platform, various iOS banking apps and an online gaming technology platform respectively. More information about each of them is available here.
The Symantec Threat Hunter team concluded its advisory by providing a series of recommendations to help companies defect against this type of supply chain issues.
“Adding security scanning solutions to the app development lifecycle and, if using an outsourced provider, requiring and reviewing Mobile App Report Cards, which can identify any unwanted app behaviors or vulnerabilities for every release of a mobile app, can all be helpful in highlighting potential issues,” wrote the team.
“As an app developer, look for a report card that both scans SDKs and frameworks in your application and identifies the source of any vulnerabilities or unwanted behaviors.”
For context, AWS technologies were also under the spotlight earlier this year when a Turkish airline accidentally leaked personal information of flight crew alongside source code and flight data due to a misconfigured AWS bucket.
More recently, Amazon fixed a high-severity vulnerability in its Photos Android app.
