An analysis of widely used mobile apps from Google Play and the Apple App Store reveals that cloud service credentials are hard-coded and unencrypted, exposing millions of users to critical security risks. exposed to security issues.
According to Yuanjing Guo and Tommy Dong, software engineers at Symantec’s Security Technology and Response, the issue is due to lazy coding. The pair warn that leaving credentials in the code means someone with access to the app’s binaries or source code can access the backend infrastructure and exfiltrate user data. .
“This action exposes critical infrastructure to potential attacks, putting user data and backend services at risk,” Symantec researchers warned. “The spread of these vulnerabilities across both iOS and Android platforms highlights the urgent need to move to more secure development practices,” they added.
The apps for which Symantec has confirmed certification are listed below, but there may be more.
- photo stitching – More than 5 million people have rated this collage editing app for Android, but unfortunately it contains hard-coded AWS credentials that allow attackers to access linked Amazon S3 buckets. You may be able to collect production credentials such as name, read and write access keys, and private key.
- crumble – This iOS app helps users procure sweet treats, but also exposes the developer’s AWS plaintext credentials, including access and private keys. “Additionally, we have a WebSocket Secure (WSS) endpoint built into our code.
wss://***.iot.us-west-2.amazonaws.com– Highlights a major security oversight,” the researchers warned. - Eureka – This survey answering app, rated by nearly 500,000 Apple and Android users, has AWS credentials hardcoded directly within the app, and access and secret keys are stored in plain text.
- video shop – This video editor code contains unencrypted AWS credentials that could allow someone with the binaries to steal data, access and bring down the backend infrastructure. Approximately 400,000 people have rated this app.
- Mercabs – This Indian taxi-hailing app is used by around 5 million people and has hard-coded Azure credentials that allow access to cloud storage settings.
- Sureka business – This networking and lead generation app has around 500,000 users and takes website security seriously. However, Symantec’s analysis shows that there are multiple hard-coded Azure credentials available to attackers who use plaintext connection strings to access Azure Blob Storage containers.
- resound tinnitus relief – This sound therapy app has around 500,000 users, but it also embeds Azure Blob Storage credentials in an easy-to-find way, which isn’t exactly music to the ears of security experts. The same goes for Beltone relieves tinnitus The app on Android has around 100,000 users.
- EatSleepRIDE Motorcycle GPS – This forum app contains hard-coded Twilio credentials, putting an estimated 100,000 users at risk.
Symantec recommends that users install third-party security systems to block the effects of these coding errors, but surprisingly, Symantec does not have a security system in place that is suitable for this purpose. Masu. Users should also pay close attention to any permissions requested by apps and only install apps from trusted sources.
Alternatively, developers can write better code and use services like AWS Secrets Manager or Azure Key Vault, which are designed to keep sensitive information safe. Symantec researchers also recommend encrypting everything and conducting regular code reviews and security scans. ®
