Cloud Security, Application security

Hardcoded AWS credentials exposed by many Android, iOS apps

Hardcoded Amazon Web Services credentials have been identified in 1,859 Android and iOS apps, 77% of which had valid AWS access tokens enabling private AWS cloud service access, according to The Hacker News. More than 50% of the apps also leveraged AWS tokens also found in other apps from other companies and developers, indicating a significant supply chain issue, a Broadcom report showed. "The AWS access tokens could be traced to a shared library, third-party SDK, or other shared component used in developing the apps," said researchers. Moreover, valid AWS tokens allowing complete private file and Amazon Simple Storage Service bucket access in the cloud were found in 47% of apps. The report showed that more than 15,000 medium-to-large-sized companies had their customers' private information exposed by an intranet and communications platform offered by an unspecified B2B company that had a mobile software development kit with integrated cloud infrastructure keys. Moreover, over 300,000 users of five iOS banking apps with the same AI Digital Identity SDK had their fingerprint data exposed, added researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.