As with anyone piece of software, mobile apps can create a range of security issues and exposures, from rogue programs that are intentionally malicious to apps that contain an obscure but important flaw. Now, new research is shedding light on systemic oversights in mobile app cloud infrastructure that are all too common and create the risk that user data can be leaked where it shouldn’t be compromised or seen pledges
Researchers from Broadcom’s Symantec Threat Hunter team published findings Thursday about the prevalence of hard-coded authentication credentials hidden in the cloud services that underlie hundreds of major applications. These login credentials typically give the application access to a single file or service, such as a mechanism for an application to display public images from a company’s website or run text through a translation service at the request of a user. But in practice, the researchers found, those same credentials often give access to all the files stored in a cloud service, such as company data, database backups and system control components. And when the same third-party development company has built multiple applications or incorporates the same publicly available software development kits (SDKs), these static authentication tokens can even provide access to the infrastructure and user data of several offline apps.
All of this means that if an attacker were to discover these access tokens, they could unlock massive amounts of sensitive data just by finding a key under the rug.
“The cloud is still a new frontier. And sometimes when you hear about the practices being used, you realize that a lot of organizations may not be where they are with security on other fronts,” says Symantec’s Dick O’Brien. “It’s hard to tell if it’s people cutting corners or if it’s just a lack of knowledge of what you’re exposing by putting out those credentials, but it’s clear that the data isn’t as locked down as it should be.”
The researchers found 1,859 publicly available apps on both Android and iOS that contained encrypted Amazon Web Services credentials. The vast majority were iOS apps, a discrepancy that Symantec says it has tracked for years, but has not fully explained. Credentials present in more than three-quarters of apps provided access to private cloud services, and nearly half of these also provided access to private files. Fifty-three percent of the apps contained access tokens that were also found in other, often completely unrelated, apps.
“It was very surprising at first, but this is a systemic thing,” says O’Brien. “People need to do a full audit of what they’re using and realize that there are multiple layers. The practice of implementing hard-coded access keys is not great. Temporary credentials that expire after a short period of time are probably the way to go, and there also needs to be greater awareness that information needs to be saved.”
Symantec says it has notified developers of the applications where it sees the most pressing issues and hopes to raise awareness of how insecure development practices and shared resources can create exposures without careful consideration and targeting.
In one case, researchers noticed that several mainstream iOS banking apps used the same third-party AI digital identity software development kit that exposed credentials to the shared service cloud. While none of the banking apps built the SDK, the credentials exposed the server structure and infrastructure plans, source code, and AI models underlying the identity service. And more than 300,000 biometric fingerprint files of users of five of the mobile banking apps were leaked and potentially exposed.
In another case, the researchers looked at what they call a large hospitality and entertainment company working with a technology company on sports betting applications. In total, the hardcoded credentials gave infrastructure access to 16 online gambling applications, exposing their services to the cloud and even granting root access to take control of that backend platform.
Symantec’s O’Brien stresses that while the company is not naming the affected apps, it hopes the findings will raise awareness of these common pitfalls and their potentially large impact on users. “The things we found, it illustrates the importance of what we’re dealing with here,” he says.