IOS Mobile banking apps put 300,000 digital fingerprints at risk using hardcoded AWS credentials

Massive amounts of private data – including more than 300,000 biometric digital fingerprints used by five mobile banking apps – have been put at risk of theft due to hard-coded Amazon Web Services credentials, according to security researchers.

Symantec’s Threat Hunter Team said it discovered 1,859 publicly available apps, both Android and iOS, containing baked-in AWS credentials. That means if someone were to look inside the apps, they would have found the credentials in the code, and could potentially have used that to access the apps’ backend Amazon-hosted servers and steal users’ data. The vast majority (98 percent) were iOS apps.

In all, 77 percent of these apps contained valid AWS access tokens that allowed access to private AWS cloud services, the intelligence team noted in research published today.

Additionally, almost half (47 percent) contained valid AWS tokens providing full access to sometimes millions of private files via Amazon S3 buckets. These hard-coded AWS access tokens would be easy to extract and exploit, and reflect a serious supply-chain issue, Dick O’Brien, principal editor on Symantec’s Threat Hunter Team, told The Register.

[…]

In one case, a provider of B2B services gave out a mobile SDK to its customers to integrate into their applications. It turned out the SDK contained the provider’s cloud infrastructure keys, which potentially exposed all of its data — including financials, employee information, files on more than 15,000 medium and large-sized companies, and other information — that was stored on the platform.

The SDK had a hard-coded AWS token to access an Amazon-powered translation service. However, that token granted full access to the provider’s backend systems, rather than just the translation tool.

[…]

 

Source: Mobile banking apps put 300,000 digital fingerprints at risk • The Register

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

 robin@edgarbv.com  https://www.edgarbv.com