IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

'Vast majority' of mobile apps found leaking AWS credentials are on iOS

Only 2% of the apps that were found to be leaking hard-coded AWS credentials were on the Android platform, research has shown

iOS apps are leaking hard-coded Amazon Web Services (AWS) credentials far more often than Android-based versions of the same app, according to new research.

Analysis of the software libraries belonging to more than 1,800 publicly available apps found that 77% had leaked details that attackers could use to gain access to private AWS accounts, while 47% were found to have leaked credentials associated with Amazon S3 buckets.

Of these vulnerable apps, 98% were installed on iOS, according to Kevin Watkins, security researcher at Symantec.

Watkins concluded that the issue stemmed from a software supply chain fault, given that in more than half (53%) of the leaky apps, the same AWS credentials were exposed, despite the apps being developed by different companies.

An analysis of the apps showed the common AWS access tokens found across more than half of the affected apps could be traced back to shared libraries, third-party software development kits (SDKs), or another shared component existing in the apps’ code.

Watkins didn't detail why the issue was so much more prevalent in iOS development than Android. IT Pro has approached Symantec for further comment.

Using shared libraries is common practice in the software development space, and this is partly why the Log4Shell vulnerability was so worrying when it was first discovered.

It can be difficult for developers to know when a software library is vulnerable or otherwise insecure, and supply chain-related issues can also arise when companies outsource their app development or when companies use the same vulnerable component across multiple apps.

Finding hard-coded credentials in apps isn’t a novel trend and has been well-documented previously, including by Watkins.

“Regularly, we find no access controls in apps at all – that is, all private user data in an app is exposed to the world – or the private keys are easily found, or hard-coded, inside the app binary,” he said in an earlier blog post

“In fact, chances are there is at least one app on your mobile device containing private cloud keys that expose your private data. The keys – as is often the case – open up the doors to the corporate kingdom, putting sensitive data at risk of exposure.”

Numerous reasons exist to explain why developers use hard-coded access keys in mobile apps, one being for the downloading or uploading of resources like media files.

Other explanations include accessing configuration files for the app for storage in the cloud, or accessing cloud services that require authentication, like translation functionality, Watkins said.

Related Resource

2021 Gartner critical capabilities for data integration tools

How to identify the right tool in support of your data management solutions

Whitepaper cover with title, text, dark header banner, and logoFree Download

There may also be no apparent reasons to explain the hard-coded credentials at all, he said. Sometimes developers forget to remove dead code or code reserved only for testing purposes, and this ultimately is left included in the app’s final release.

Cloud credentials may be hard-coded into apps, in some cases, because developers feel the impact might not be severe. Watkins said that “if an access key only has permission to access a specific cloud service or asset, for example accessing public image files from the corporate Amazon S3 service, the impact may be minimal”.

Exposing all files and buckets through hard-coded cloud credentials is often the reality, though, Watkins said, and this can lead to corporate files and sensitive data relating to databases and operational infrastructure being left open to attackers.

To prevent common software supply chain issues from entering a business app, Watkins recommends adding security scanning products to the development lifecycle.

If app development is outsourced, as is often the case with smaller businesses, then requiring the development company to send app report cards for every release, ideally ones that include scans of SDKs and frameworks, and reviewing them, can help to identify issues, too.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Most Popular

Empowering employees to truly work anywhere

Empowering employees to truly work anywhere

22 Nov 2022
Salesforce co-CEO Bret Taylor resigns with cryptic parting message
Business operations

Salesforce co-CEO Bret Taylor resigns with cryptic parting message

1 Dec 2022
The top 12 password-cracking techniques used by hackers

The top 12 password-cracking techniques used by hackers

14 Nov 2022