The App Store and Google Play Store are a treasure trove of applications. They themselves regularly provide additional gifts to cybercriminals: hardcoded credentials for AWS and Azure Blob Storage.
This issue was brought up by two researchers from Broadcom’s Symantec Security Technology & Response, Yuanjing Guo and Tommy Dong. “This dangerous activity allows anyone with access to the app’s binaries or source code to extract these credentials and misuse them to manipulate or steal data, potentially leading to serious security breaches. ,” the two said.
This can have serious consequences, including removing or manipulating backend services and exposing proprietary data. In addition, because user data may reside in AWS or Azure Blob Storage, an attacker may be able to misuse credentials to steal user data.
AWS and Azure leaks
As per example, credential leaks are the result of lackluster coding practices. As it turns out, an Android app that has been downloaded 5 million times loads AWS credentials for an Amazon S3 bucket used in production. With minimal significant effort, the app in question loads the staging credentials for app testing.
Elsewhere, app developers are making it even easier for malicious actors to access it. The iOS app, which has 3.9 million ratings and ranks highly in its own category, contains cleartext credentials, including access and private keys. Other apps also connect to AWS via hard-coded credentials, which Symantec researchers have described as a “significant risk.”
AWS breaches are not unique. Azure Blob Storage is also publicly available. Again, incidents involving this service involve hard-coded data within apps that have had millions or hundreds of thousands of downloads. In some cases, it involves a leak in the binary itself, making it easier to detect.
Convenience over safety?
This trend reveals two things. First, the trends identified by Symantec researchers are clear. Apparently, it’s a habit among many app developers to implement credentials this way, as if they were public API keys.
At the same time, there is a lack of standardization as methodologies vary widely. It might contain a connection string with hidden credentials, but it usually contains plaintext data in a binary that should always be under lock and key.
Symantec researchers are calling for a shift to more secure coding techniques. For example, environment variables are loaded at runtime and sensitive credentials are never leaked into the code itself. Additionally, developers can simply leverage the help already provided by AWS (via Secrets Manager) or Microsoft (via Azure Key Vault). Similarly, encryption is often absent when it is painfully obvious that it should be used.
More broadly, code reviews/audits and automated security scanning are clearly lacking. Therefore, Symantec recommends that development teams apply these techniques to detect problems early. In addition, the use of security apps is recommended, and not surprisingly, Symantec recommends Symantec Endpoint Protection to help alleviate the issue.
Also read: Attackers use login credentials to bypass security tools
