Several popular mobile applications for iOS and Android come with hard-coded, unencrypted credentials for cloud services such as Amazon Web Services (AWS) and Microsoft Azure Blob Storage, which protect user data and Your source code has been exposed to a security breach.
If this type of credential is exposed, it can easily lead to unauthorized access to storage buckets or databases containing sensitive user data. Apart from this, attackers can also use them to manipulate or steal data.
According to a report from Symantec, a Broadcom company, these keys exist in the app’s codebase due to errors or poor practices during development.
“Recent analysis reveals an alarming trend: Some widely used apps include hard-coded and unencrypted cloud service credentials within their codebases. ,” Symantec explains.
“This dangerous activity allows anyone with access to the app’s binaries or source code to extract these credentials and misuse them to manipulate or steal data, potentially leading to major security breaches. “This means that,” the researchers said.
Symantec says its researchers discovered credentials to cloud services in the following apps on Google Play:
- photo stitch – Over 5 million downloads – Amazon hardcoded credentials
- Mercabs – Over 5 million downloads – Hardcoded credentials for Microsoft Azure Blob Storage
- Sureka businesss – 500,000+ downloads – Microsoft Azure Blob Storage Hardcoded Credentials
- resound tinnitus relief – 500,000+ downloads – Microsoft Azure Blob Storage Hardcoded Credentials
- Salusa – 100,000+ downloads – Microsoft Azure Blob Storage Hardcoded Credentials
- Chola Ms Breakin – 100,000+ downloads – Microsoft Azure Blob Storage Hardcoded Credentials
- EatSleepRIDE Motorcycle GPS – 100,000+ downloads – Twilio hardcoded credentials
- Beltone relieves tinnitus – 100,000+ downloads – Microsoft Azure Blob Storage Hardcoded Credentials
Source: Symantec
They also discovered credentials for several popular apps listed in Apple’s App Store.
- crumble – 3.9 million+ ratings – Amazon hardcoded credentials
- Eureka: Make Money with Surveys – 402.1K+ Rating – Amazon Hardcoded Credentials
- Videoshop – Video Editor – 357.9K+ Ratings – Amazon Hardcoded Credentials
- Solitaire Clash: Earn Real Cash – 244.8K+ Ratings – Amazon Hardcoded Credentials
- Zap Surveys – Make Money Easy – 235,000+ ratings – Amazon Hardcoded Credentials
Source: Symantec
The App Store does not report download numbers, but those numbers are usually much higher than the number of ratings listed.
Note that Google displays the total number of downloads over an app’s lifetime in the Play Store, and does not reflect active installs.
The presence of the above-mentioned apps on your phone does not mean that your personal data has been stolen, but unless the developer takes action and eliminates the risk, your personal data can be accessed and hackers can steal your data. This means that there is a possibility that it may be extracted.
In September 2022, Symantec sounded the alarm about this risk, saying its researchers discovered more than 1,800 iOS and Android apps containing AWS credentials, and 77% of those apps had valid access tokens in their codebase. I emphasized that.
Researchers recommend that developers follow best practices for protecting sensitive information in mobile apps.
This includes using environment variables to store credentials, using secret management tools (AWS Secrets Manager, Azure Key Vault, etc.), data encryption, regular code reviews and audits, and sensitive data. and integrating automated security scanning early in the development process to detect security issues. .
