Virtualization Technology News and Information
More Than 1,800 Android and iOS Apps Found Leaking Hard-Coded AWS Credentials

securit risks 

The Symantec Threat Hunter team has spotted 1,859 apps across Android and iOS containing hard-coded Amazon Web Services (AWS) access tokens that permitted access to private AWS cloud services.

The study highlights a supply chain issue with potentially serious implications. More than half of the mobile applications were using the same AWS access tokens that were present in other apps, often created by different developers and companies.

Here is what a few industry experts had to say about this news:


Scott Gerlach, Co-Founder and CSO at StackHawk, a Denver-based provider of API Security Testing:

"Adding DevSecOps tools, like secret scanning to CI/CD, can help ferret out these types of secrets when building software. And it's critical that you understand how to manage and securely provision AWS and other API keys/tokens to prevent unwarranted access."


Tony Goulding, Cybersecurity Evangelist at Delinea, a Redwood City, Calif.-based provider of privileged access management (PAM) solutions:

"Any credentials hard-coded into apps are a bad idea. Ideally, they're replaced with an API call to a repo (e.g., SaaS vault) so they can pull a credential or key down in real-time that doesn't persist on the device, in the app, or a local config file. An alternative approach is to use the AWS STS service to provision temporary tokens to grant access to AWS resources. They're similar to their long-term brethren except they have a short lifespan that's configurable - as little as 15 minutes. Once they expire, AWS won't recognize them as valid, preventing an illicit API request using that token. This is better cyber hygiene that follows the principles of just-in-time access without leaving credentials standing or exposed."


Ryan Kennedy, Cybersecurity Consultant at nVisium, a Falls Church, Virginia-based application security provider:

"Hardcoded credentials in software are a well known issue, even beyond mobile applications. When multiple applications use the same libraries, which themselves have hardcoded tokens with very loose permissions, usage of the library essentially propagates the vulnerability. Furthermore, by not restricting usage of tokens, anybody can use them to potentially access sensitive information stored by vulnerable applications using those libraries, or including their own tokens. The combination of hardcoded credentials which give unfettered access to privileged services could result in exposure of not only customer information, but also potentially grant access to sensitive information belonging to the app developers."


John Bambenek, Principal Threat Hunter at Netenrich, a San Jose, Calif.-based security and operations analytics SaaS company:

"Hard-coded credentials remain an issue throughout the software lifecycle. However, it's much worse when those credentials are in public applications shared with the world. While some measure of access control may be needed to download a shared library or resource files, making sure those credentials can ONLY download those necessary components are essential. It seems some organizations have resolved their problems with wide-open S3 buckets by putting in one key for full access and then using that widely and distributing it everywhere. Such practices do little more than insure that I can never retire."


Darryl MacLeod, vCISO at LARES Consulting, a Denver, Colorado-based information security consulting firm:

"Tokens are usually secure because they can be easily rotated and revoked. If organizations don't take the time to manage their tokens, their supply chain is vulnerable.

Supply chain attacks are on the rise, and they're becoming more sophisticated. In order to defend against these attacks, companies need to take security seriously. A secure software development lifecycle can help, but it's only part of the solution. Tokens are a crucial part of protecting data and they should be managed properly."


Published Friday, September 02, 2022 2:19 PM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<September 2022>