The Symantec Risk Hunter crew has noticed 1859 apps throughout Android and iOS containing hard-coded Amazon Net Providers (AWS) entry tokens that permitted entry to non-public AWS cloud providers.
Of all of the apps analyzed by the safety researchers, roughly 50% have been seen utilizing the identical AWS tokens present in different apps (maintained by different builders and corporations).
“The AWS entry tokens may very well be traced to a shared library, third-party software program growth equipment (SDK), or different shared element utilized in creating the apps,” reads the advisory, which referred to as the invention a critical provide chain vulnerability.
As for why app builders have been utilizing hard-coded entry keys, Symantec mentioned causes included the need of downloading or importing belongings and sources required for the app (normally massive media information), accessing configuration information for the app, and accessing cloud providers that require authentication.
The safety crew additionally shared findings associated to particular case research, associated to an intranet platform, varied iOS banking apps and a web-based gaming expertise platform respectively. Extra details about every of them is out there right here.
The Symantec Risk Hunter crew concluded its advisory by offering a sequence of suggestions to assist firms defect towards this sort of provide chain points.
“Including safety scanning options to the app growth lifecycle and, if utilizing an outsourced supplier, requiring and reviewing Cell App Report Playing cards, which might establish any undesirable app behaviors or vulnerabilities for each launch of a cell app, can all be useful in highlighting potential points,” wrote the crew.
“As an app developer, search for a report card that each scans SDKs and frameworks in your utility and identifies the supply of any vulnerabilities or undesirable behaviors.”
For context, AWS applied sciences have been additionally underneath the highlight earlier this 12 months when a Turkish airline by accident leaked private data of flight crew alongside supply code and flight knowledge because of a misconfigured AWS bucket.
Extra lately, Amazon fastened a high-severity vulnerability in its Photographs Android app.
