Mobile Apps With Millions of Downloads Expose Cloud Credentials

  /     /     /  
Publicated : 23/11/2024   Category : security


Mobile Apps With Millions of Downloads Expose Cloud Credentials


Popular titles on both Google Play and Apples App Store include hardcoded and unencrypted AWS and Azure credentials in their codebases or binaries, making them vulnerable to misuse by threat actors.



Several widely used mobile apps, some with millions of downloads, expose hardcoded and unencrypted
credentials to cloud services
within their code bases, researchers from Symantec have found. This potentially allows anyone with access to the app’s binary or source code to extract the credentials to exploit cloud infrastructure for misuse.
Popular apps for both Android and iPhone devices include credentials for either Amazon Web Services (AWS) and Microsoft Azure Blog Storage within their code, Symantec
revealed
in a blog post this week. And theyre found on each device platform’s respective official mobile app store:
Google Play
and Apples App Store.
This dangerous practice means that anyone with access to the apps binary or source code could potentially extract
these credentials
and misuse them to manipulate or exfiltrate data, leading to severe security breaches, Symantec engineers wrote in the post.
Further, the widespread nature of the vulnerabilities across apps for both iOS and Android platforms underscores the urgent need for a shift towards more secure development practices when it comes to mobile applications, they added.
Symantec’s research zeroed in on a number of widely distributed mobile applications that included either AWS or Azure credentials in their codebases. In terms of the former, both Android and iOS apps are guilty of credential exposure, while several Android apps expose Azure storage credentials.
For example, an app called The Pic Stitch: Collage Maker found on the Google Play store contains hardcoded AWS production credentials — including the production Amazon S3 bucket name, the read and write access keys, and secret keys — in its codebase, the researchers found. It also reveals staging credentials in some cases.
Meanwhile, three iOS apps examined by Symantec also were found to expose AWS
credentials
. One called Crumbl, which has more than 3.9 million user ratings and is ranked No. 5 in the Food & Drink category on the Apple App Store, initializes an AWSStaticCredentialsProvider with plaintext credentials. The credentials, which are used to configure AWS services, include both an access key and secret key.
Furthermore, the app also includes another significant security oversight by including a WebSocket Secure (WSS) endpoint within its code. This endpoint, part of the Amazon API URL, is hardcoded with an API Gateway that directly connects to the Internet of Things services on AWS.
Exposing such URLs alongside static credentials makes it easier for attackers to potentially intercept or manipulate communications, leading to unauthorized access to the associated AWS resources, the engineers wrote. Thus, this vulnerable configuration, without proper encryption or obfuscation, presents a serious risk to the integrity of the application and its backend infrastructure, they noted.
Two other iOS apps with hundreds of thousands of App Store ratings also expose AWS credentials by hardcoding them directly within their code; the apps are Eureka: Earn Money for Surveys and Videoshop – Video Editor.
The former allocates an INMAWSCredentials object and initializes it with the access key and secret key, both stored in plaintext and which can be used to log events to AWS, exposing critical cloud resources to potential attacks, the engineers said.
The latter directly embeds unencrypted AWS credentials in the [VSAppDelegate setupS3] method, which means anyone with access to the apps binary could easily extract them. This would give them unauthorized access to the associated S3 buckets and potentially lead to data theft or manipulation.
Similarly, three Android applications expose credentials to Microsoft Azure Blob Storage directly, via either their binaries or codebases, Symantec found.
An Indian ride-sharing app, Meru Cabs — which has more than 5 million downloads on Google Play — includes hardcoded Azure credentials within its UploadLogs service by embedding a connection string that includes an account key. This connection string is used to manage log uploads, exposing critical cloud storage resources to potential abuse, the engineers wrote.
Sulekha Business, another Android app with more than 500,000 downloads, embeds multiple hardcoded Azure credentials used for various purposes — such as adding posts, handling invoices, and storing user profiles — across its codebase.
A third Android app that also has more than 500,000 downloads, ReSound Tinnitus Relief, also hardcodes Azure Blob Storage credentials for managing various assets and sound files, the exposure of which could lead to unauthorized access and data breaches.
Symantec’s findings come a day after the release of a report by Datadog that found that
unmanaged credentials
that live for too long on a cloud-based network posed a security risk to half of organizations. Indeed, any inadvertent disclosure of credentials to cloud services exposes any organization with network infrastructure, software, or other assets running on them to significant risk, according to Symantec.
A good place to start to mitigate these risks is in the development of applications, where developers should follow best practices for managing sensitive information. They include the use of environment variables to store sensitive credentials so they are loaded at runtime rather than embedded directly in the apps code, according to Symantec.
Developers also should use dedicated secrets management tools, such as AWS Secrets Manager or Azure Key Vault, to securely store and access credentials. If the credentials must be stored in the app, then they should ensure that they use strong encryption algorithms, and decrypt them at runtime as needed.
According to Symantec, another way to protect credentials and also avoid other
potential app-development missteps
is to integrate automated security-scanning tools into the development pipeline to detect common security flaws early in the development process.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Mobile Apps With Millions of Downloads Expose Cloud Credentials