Security News > 2022 > September > Here's how 5 mobile banking apps put 300,000 users' digital fingerprints at risk

Massive amounts of private data - including more than 300,000 biometric digital fingerprints used by five mobile banking apps - have been put at risk of theft due to hard-coded Amazon Web Services credentials, according to security researchers.

In all, 77 percent of these apps contained valid AWS access tokens that allowed access to private AWS cloud services, the intelligence team noted in research published today.

"Each one of them makes decisions about the security of a product that you ultimately end up providing to your customers. So a decision by, say, someone providing an SDK to put in hard-coded credentials could potentially impact thousands of different apps, depending on how widely it is used."

In another example of what not to do in mobile app development: the security shop found five iOS banking apps that used the same vulnerable AI digital identity SDK. Using third-party software for the authentication component of an app is fairly common.

Finally, in a third example of mobile app supply chain risk, Symantec found 16 online gambling apps using a vulnerable software library that, according to Watkins, "Exposed full infrastructure and cloud services across all AWS cloud services with full read/write root account credentials." Not a good look for the highly regulated sports betting industry.

There are several reasons why these different apps baked in access keys.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/09/01/mobile_apps_leaked_biometrics/