Huge amounts of private data — including more than 300,000 biometric digital fingerprints used by five mobile banking apps — have been at risk of theft due to encrypted Amazon Web Services credentials, according to security researchers.
Symantec’s Threat Hunter team said it discovered 1,859 publicly available apps, both Android and iOS, that contain baked AWS credentials. This means that if someone were to look inside the apps, they would have found the credentials in the code, and would likely use them to gain access to the back-end servers of apps hosted by Amazon and steal users’ data. The vast majority (98 percent) were iOS apps.
In all, 77 percent of these applications contained valid AWS access tokens that allowed access to AWS private cloud services, the intelligence team noted in research published today.
Additionally, nearly half (47 percent) contained valid AWS tokens that sometimes provide full access to millions of private files across Amazon S3 containers. It would be easy to extract and exploit encrypted AWS access tokens, said Dick O’Brien, senior editor on the Threat Hunter team at Symantec, and it reflects a serious supply chain issue. record.
We were told that the makers of these apps might not have cached the credentials themselves, or even knew they were there: the tokens might have been introduced by a poorly designed software dependency.
“When you talk about mobile app development, most people don’t start from scratch,” O’Brien said.
Instead, developers rely on software libraries, software development kits (SDKs), and other third-party components that are “the building blocks of applications,” he added.
“Each one of them makes decisions about the security of the product that you end up offering to your customers. So, a decision made by, say, someone providing an SDK to put encrypted credentials on thousands of different applications, depending on how widespread it is.”
Not all of the apps analyzed by threat hunters had a huge user base. Going deeper into some of the more interesting things, O’Brien said, was “extremely troubling.” “What we’ve seen, the profile of the apps and the nature of the businesses that have been involved in that, will definitely give you pause.”
Here are some examples of what the researchers found.
Sensitive information disclosed
In one case, a B2B service provider offered a mobile SDK for its customers to integrate into their apps. It turns out that the SDK contained the keys to the provider’s cloud infrastructure, potentially exposing all of its data — including financial data, employee information, files of more than 15,000 medium and large companies, and other information — that was stored on the platform.
The SDK had an AWS flat token to access an Amazon-supported translation service. However, this code gave full access to the provider’s backend systems, rather than just a compiler. “Instead of restricting an encrypted access token for use with a cloud translation service, anyone with that token has full, unrestricted access to all of your B2B AWS cloud services,” wrote Kevin Watkins of Symantec.
In another example of what not to do in mobile app development: The Security Store has found five iOS banking apps that use the same AI digital identity SDK.
The use of third-party software for an application’s authentication component is fairly common.
As Watkins noted: “The complexities of providing different forms of authentication, maintaining secure infrastructure, and accessing and managing identities can be costly and require expertise in order to do it right.”
However, it can also lead to data leakage. In this case, the SDK included built-in credentials that revealed the users’ biometric digital fingerprints used for authentication along with their names and dates of birth. “The fingerprints of more than 300,000 people have been detected,” O’Brien said.
Besides personal information of banking customers, the access key also exposed server infrastructure and schemas, including API source code and AI models used.
Finally, in a third example of mobile app supply chain risk, Symantec found 16 online gambling apps that used a vulnerable software library that, according to Watkins, “exposed the entire infrastructure and cloud services across all AWS clouds with full read/write root account credentials.” Not a good look at the highly regulated sports betting industry.
The security company said it had informed all of these organizations of the flaw.
Why do apps use encrypted access keys
There are several reasons why these different applications are hidden in access keys. Some are legitimate: the application needs to download resources or access certain cloud services, such as the AWS translation service, that require authentication. Sometimes it’s about a developer using dead code, or using a program to test the app and not removing it before it goes into production.
“Mostly, she’s motivated by a degree of ignorance as to what she’s revealing,” O’Brien said. “By using the credentials to access a single resource in the cloud, you’re exposing everything else that can be accessed with those credentials. It’s probably a combination of a little bit of ignorance and maybe a bit of negligence on the part of the developers.”
He added that organizations can protect themselves from these software supply chain flaws by following best practices for sharing and utilizing resources from the cloud IT provider.
“In particular, developers should never reuse cloud shares dedicated to user data with internal company data, and should ensure that all shares are appropriately secured with permissions designed for the data that is stored,” O’Brien cautioned. “Short-term switches that are limited to only the data and cloud services required by the application, nothing more, is the way to go.” ®
#Mobile #banking #apps #put #digital #fingerprints #risk