Baked-in AWS Credentials in Found in Hundreds of Apps
Researchers from Symantec’s Threat Hunter Team have discovered more than 1,800 apps that contain hard-coded AWS credentials. Nearly all of the affected apps are iOS apps. More than half of the apps were found to be using the same AWS tokens that were found in other apps.
These days, every wave of new technology use goes through the same pattern: (1) security needed; (2) security gets in the way; (3) shortcuts taken; (4) security compromised. This is actually an improvement over a decade ago when step (1) was ignored. Today, requiring testing of all software by off the shelf tools will detect most common instances of (3) shortcuts taken.
For years in the Cloud Penetration Testing class, we have told students that we find hardcoded AWS keys in software. Many architects or students who work on the defensive side find this hard to believe. This type of example doesn’t surprise those that have been doing this type of work for a while, but examples like this help us point to practices that are less than ideal, surely very insecure. Now for the wider impact of this, you need to dig into the details. 1,800 is a fraction of the 2 million apps in the app store today. I will say that compiled apps make it much harder to uncover flaws like this, so there are more than likely more apps that have this issue in those stores.
The challenge is to take the time to fully understand the frameworks and services used in delivering a service or application. Make sure that you understand what access is granted. Hardcoded credentials are easier to use than rotating or transient credentials, and not only do your developers need to stop with hardcoded credentials, but also make sure that the access granted by the credentials used are only for the objects and services needed. Where using third party services, stop to understand what access they require and how that access is managed, to include separations from others using their services. Lateral movement, data modification and exfiltration risks all need to be considered.
Read more in
Bleeping Computer: Over 1,000 iOS apps found exposing hardcoded AWS credentials