- Jul 27, 2015
Massive amounts of private data – including more than 300,000 biometric digital fingerprints used by five mobile banking apps – have been put at risk of theft due to hard-coded Amazon Web Services credentials, according to security researchers.
Symantec's Threat Hunter Team said it discovered 1,859 publicly available apps, both Android and iOS, containing baked-in AWS credentials. That means if someone were to look inside the apps, they would have found the credentials in the code, and could potentially have used that to access the apps' backend Amazon-hosted servers and steal users' data. The vast majority (98 percent) were iOS apps. In all, 77 percent of these apps contained valid AWS access tokens that allowed access to private AWS cloud services, the intelligence team noted in research published today. Additionally, almost half (47 percent) contained valid AWS tokens providing full access to sometimes millions of private files via Amazon S3 buckets. These hard-coded AWS access tokens would be easy to extract and exploit, and reflect a serious supply-chain issue, Dick O'Brien, principal editor on Symantec's Threat Hunter Team, told The Register.
In one case, we're told, a B2B provider of intranet and communications services gave out a mobile SDK to its customers to use to access its platform. It turned out the SDK contained the provider's cloud infrastructure keys, which potentially exposed all of its customers' data — including financial records, employee information, and other information — that was stored on the platform. Data on more than 15,000 medium and large-sized companies were exposed.
The SDK had a hard-coded AWS token to access an Amazon-powered translation service. However, that token granted full access to the provider's backend systems, rather than just the translation tool. "Instead of limiting the hard-coded access token for use with the translation cloud service, anyone with the token had full unfettered access to all the B2B company's AWS cloud services," Symantec's Kevin Watkins wrote.
In another example of what not to do in mobile app development: the security shop found five iOS banking apps that used the same vulnerable AI digital identity SDK. Using third-party software for the authentication component of an app is fairly common. As Watkins noted: "The complexities of providing different forms of authentication, maintaining the secure infrastructure, and accessing and managing the identities can incur a high cost and requires expertise in order to do it right."
However, it can also lead to leaky data. In this case, the SDK included embedded credentials that exposed users' biometric digital fingerprints used for authentication along with names and dates of birth. "Over 300,000 people's fingerprints were exposed," O'Brien said. Besides the banking customers' personal information, the access key also exposed the server infrastructure and blueprints, including the API source code and AI models used.