'Vast majority' of mobile apps found leaking AWS credentials are on iOS

Black iPhone 13 Pro on a dark wood surface
(Image credit: Shutterstock)

iOS apps are leaking hard-coded Amazon Web Services (AWS) credentials far more often than Android-based versions of the same app, according to new research.

Analysis of the software libraries belonging to more than 1,800 publicly available apps found that 77% had leaked details that attackers could use to gain access to private AWS accounts, while 47% were found to have leaked credentials associated with Amazon S3 buckets.

Of these vulnerable apps, 98% were installed on iOS, according to Kevin Watkins, security researcher at Symantec.

Watkins concluded that the issue stemmed from a software supply chain fault, given that in more than half (53%) of the leaky apps, the same AWS credentials were exposed, despite the apps being developed by different companies.

An analysis of the apps showed the common AWS access tokens found across more than half of the affected apps could be traced back to shared libraries, third-party software development kits (SDKs), or another shared component existing in the apps’ code.

Watkins didn't detail why the issue was so much more prevalent in iOS development than Android. IT Pro has approached Symantec for further comment.

Using shared libraries is common practice in the software development space, and this is partly why the Log4Shell vulnerability was so worrying when it was first discovered.

It can be difficult for developers to know when a software library is vulnerable or otherwise insecure, and supply chain-related issues can also arise when companies outsource their app development or when companies use the same vulnerable component across multiple apps.

Finding hard-coded credentials in apps isn’t a novel trend and has been well-documented previously, including by Watkins.

“Regularly, we find no access controls in apps at all – that is, all private user data in an app is exposed to the world – or the private keys are easily found, or hard-coded, inside the app binary,” he said in an earlier blog post.

“In fact, chances are there is at least one app on your mobile device containing private cloud keys that expose your private data. The keys – as is often the case – open up the doors to the corporate kingdom, putting sensitive data at risk of exposure.”

Numerous reasons exist to explain why developers use hard-coded access keys in mobile apps, one being for the downloading or uploading of resources like media files.

Other explanations include accessing configuration files for the app for storage in the cloud, or accessing cloud services that require authentication, like translation functionality, Watkins said.

RELATED RESOURCE

2021 Gartner critical capabilities for data integration tools

How to identify the right tool in support of your data management solutions

FREE DOWNLOAD

There may also be no apparent reasons to explain the hard-coded credentials at all, he said. Sometimes developers forget to remove dead code or code reserved only for testing purposes, and this ultimately is left included in the app’s final release.

Cloud credentials may be hard-coded into apps, in some cases, because developers feel the impact might not be severe. Watkins said that “if an access key only has permission to access a specific cloud service or asset, for example accessing public image files from the corporate Amazon S3 service, the impact may be minimal”.

Exposing all files and buckets through hard-coded cloud credentials is often the reality, though, Watkins said, and this can lead to corporate files and sensitive data relating to databases and operational infrastructure being left open to attackers.

To prevent common software supply chain issues from entering a business app, Watkins recommends adding security scanning products to the development lifecycle.

If app development is outsourced, as is often the case with smaller businesses, then requiring the development company to send app report cards for every release, ideally ones that include scans of SDKs and frameworks, and reviewing them, can help to identify issues, too.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.