Security News > 2022 > September > Over 1,000 iOS apps found exposing hardcoded AWS credentials
Researchers at Symantec's Threat Hunting team, part of Broadcom Software, found 1,859 applications containing hard-coded AWS credentials, most of them being iOS apps and just 37 for Android.
The threat analysts highlight three notable cases in their report where the exposed AWS tokens could have had catastrophic consequences for both authors and users of the vulnerable apps.
The software development kit the company provided to clients to access its services contains AWS keys, exposing all private customer data stored on the platform.
Another case is a third-party digital identity and authentication SDK used by several banking apps on iOS that included valid cloud credentials.
Finally, Symantec found a sports betting technology platform used by 16 online gambling apps, that exposed its entire infrastructure and cloud services with admin-level read/write permissions.
The issue with hard-coded and "Forgotten" cloud service credentials is basically a supply chain problem, as the negligence of an SDK developer can impact an entire collection of apps and services that rely on it.