The cybersecurity researchers at Symantec have recently warned of the risks related to poor security practices, pointing out that it found hardcoded credentials for AWS in more than 1,800 Android and iOS applications.
Almost all of the applications consisting of hardcoded credentials that are developed for iOS and Android have been examined by the threat hunting team of Symantec.
The presence of the same AWS tokens was found in more than 50% of the apps. Various developers and companies have used these tokens in their apps as well. There are serious implications for the supply chain as a consequence of this report.
There have been a number of things that can be traced to the AWS access tokens, including:-
- Shared library
- Third-party SDK
- Apps are developed using other components
Supply Chain Risk
A mobile application software development process resembles that of a supply chain for the manufacture and distribution of materials goods and involves the following things:-
- Collection software libraries
- Software development kits (SDKs)
- Developing the mobile apps
Mobile apps can become vulnerable to these upstream supply chain issues:-
- There are many instances in which mobile app developers are unaware that the source libraries and SDKs of their apps are vulnerable.
- The risk in the outsourcing of mobile app development is that companies will end up with vulnerabilities in the apps that could expose them to risks.
- In most companies, especially larger ones, there are multiple apps being developed by multiple teams and these apps use cross-team vulnerable libraries.
Technical Analysis
In most cases, this type of credential is used to download the resources that are necessary for the app to function properly. Along with this, it also allows authentication to cloud services and access to configuration files.
Among the incidents that Symantec has discovered, one of the most notable was with an unnamed B2B company offering an intranet and communication platform to its customers, along with a mobile SDK.
In this instance, the company’s cloud infrastructure keys had been embedded in the SDK for access to the translation service within the cloud infrastructure.
As a result of this, all of the customer information of the company was exposed to the public. Over 15,000 medium-to-large-sized companies were included in the database. The database encompassed their corporate data and financial records.
Moreover, the researchers also discovered five iOS banking apps that used the same AI Digital Identity SDK. As a result, over 300,000 fingerprints have effectively been leaked.
However, in accordance with the cybersecurity firm, the organizations were notified of the issues uncovered in their applications after it was discovered.