Entertainment Hundreds of iOS apps could be leaking AWS credentials
Hundreds of iOS apps could be leaking AWS credentials
Hundreds of mobile apps have been found to be leaking Amazon Web Services (AWS) credentials.
A recent Symantec analysis (opens in new tab) identified 1,859 publicly available apps, 98% of which are iOS apps, containing hard-coded AWS credentials that could be putting your data at risk.
The company found over three-quarters (77%) of the apps contained valid AWS access tokens allowing access to private AWS cloud services, and nearly half (47%) contained valid AWS tokens that also gave full access to numerous, often millions, of private files via the Amazon Simple Storage Service (Amazon S3).
AWS passwords leaks
Some of the reasons for vulnerabilities, says security researcher Kevin Watkins, include the unbeknown use of vulnerable external software libraries and SDKs, the outsourcing of app development, and cross-team collaboration which could present numerous opportunities for missing information and ineffective communication.
The analysis highlights three real-world examples of affected companies. The first, an unnamed B2B company that provides an intranet and communications platform, had provided a mobile SDK to its customers that exposed the company’s cloud infrastructure keys, exposing things like financial records and private data.
The second example cites a number of iOS banking apps that had outsourced the digital ID and authentication component of their respective apps. Affected users of this SDK had their personal data exposed, including names and dates of birth. Furthermore, over 300,000 biometric digital fingerprints were leaked by five banking apps.
Finally, a hospitality and entertainment company that had teamed up with another company to share its technology platform was found to be exposing business and customer data from a library that was being used by 16 different apps.
The research findings have been shared with the companies involved, however it’s not yet known if the issues have been ironed out with immediate effect.
Via Bleeping Computer (opens in new tab)