The Symantec Threat Hunter team has spotted 1,859 apps across
Android and iOS containing hard-coded Amazon Web Services (AWS) access tokens
that permitted access to private AWS cloud services.
The study highlights a supply chain issue with
potentially serious implications. More than half of the mobile applications
were using the same AWS access tokens that were present in other apps, often
created by different developers and companies.
Here is what a few industry experts had to say about this
news:
##
Scott Gerlach, Co-Founder
and CSO at StackHawk, a Denver-based provider of API Security Testing:
"Adding DevSecOps tools, like secret scanning to CI/CD, can
help ferret out these types of secrets when building software. And it's
critical that you understand how to manage and securely provision AWS and other
API keys/tokens to prevent unwarranted access."
++
Tony Goulding,
Cybersecurity Evangelist at Delinea,
a Redwood City, Calif.-based provider of privileged access management (PAM)
solutions:
"Any credentials hard-coded into apps are a bad idea.
Ideally, they're replaced with an API call to a repo (e.g., SaaS vault) so they
can pull a credential or key down in real-time that doesn't persist on the
device, in the app, or a local config file. An alternative approach is to use
the AWS STS service to provision temporary tokens to grant access to AWS
resources. They're similar to their long-term brethren except they have a short
lifespan that's configurable - as little as 15 minutes. Once they expire, AWS
won't recognize them as valid, preventing an illicit API request using that
token. This is better cyber hygiene that follows the principles of just-in-time
access without leaving credentials standing or exposed."
++
Ryan Kennedy,
Cybersecurity Consultant at nVisium,
a Falls Church, Virginia-based application security provider:
"Hardcoded credentials in software are a well known issue,
even beyond mobile applications. When multiple applications use the same
libraries, which themselves have hardcoded tokens with very loose permissions,
usage of the library essentially propagates the vulnerability. Furthermore, by
not restricting usage of tokens, anybody can use them to potentially access
sensitive information stored by vulnerable applications using those libraries,
or including their own tokens. The combination of hardcoded credentials which
give unfettered access to privileged services could result in exposure of not
only customer information, but also potentially grant access to sensitive
information belonging to the app developers."
++
John Bambenek, Principal
Threat Hunter at Netenrich, a San Jose, Calif.-based security and operations analytics SaaS
company:
"Hard-coded credentials remain an issue throughout the
software lifecycle. However, it's much worse when those credentials are in
public applications shared with the world. While some measure of access control
may be needed to download a shared library or resource files, making sure those
credentials can ONLY download those necessary components are essential. It
seems some organizations have resolved their problems with wide-open S3 buckets
by putting in one key for full access and then using that widely and
distributing it everywhere. Such practices do little more than insure that I
can never retire."
++
Darryl MacLeod, vCISO
at LARES Consulting, a Denver, Colorado-based information security
consulting firm:
"Tokens are usually secure because they can be easily rotated
and revoked. If organizations don't take the time to manage their tokens, their
supply chain is vulnerable.
Supply chain attacks are on the rise, and they're becoming more sophisticated.
In order to defend against these attacks, companies need to take security
seriously. A secure software development lifecycle can help, but it's only part
of the solution. Tokens are a crucial part of protecting data and they should
be managed properly."
##