Security News > 2022 > September > Over 1,800 Android and iOS Apps Found Leaking Hard-Coded AWS Credentials
Researchers have identified 1,859 apps across Android and iOS containing hard-coded Amazon Web Services credentials, posing a major security risk.
"Over three-quarters of the apps contained valid AWS access tokens allowing access to private AWS cloud services," Symantec's Threat Hunter team, a part of Broadcom Software, said in a report shared with The Hacker News.
Interestingly, a little more than 50% of the apps were found using the same AWS tokens found in other apps maintained by other developers and companies, indicating a supply chain vulnerability.
These credentials are typically used for downloading appropriate resources necessary for the app's functions as well as accessing configuration files and authenticating to other cloud services.
To make matters worse, 47% of the identified apps contained valid AWS tokens that granted complete access to all private files and Amazon Simple Storage Service buckets in the cloud.
Also uncovered were five iOS banking apps relying on the same AI Digital Identity SDK that contained the cloud credentials, effectively leaking more than 300,000 users' fingerprint information.
News URL
https://thehackernews.com/2022/09/over-1800-android-and-ios-apps-found.html
Related news
- AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs (source)
- Bitwarden launches new MFA Authenticator app for iOS, Android (source)
- Malicious Android Apps Pose as Google, Instagram, WhatsApp, to Steal Credentials (source)
- Apple and Google add alerts for unknown Bluetooth trackers to iOS, Android (source)