Millions of installed apps contain hard-coded cloud accesses

Symantec has discovered hardcoded and unencrypted access data to cloud services in the code base while investigating popular apps. As a result, anyone with access to the app binary or its sources could extract these credentials and misuse them to manipulate or exfiltrate data. This leads to serious security breaches.

In a blog post, Symantec's IT researchers analyze several exemplary apps. They focus on those that contain hardcoded access data to Amazon Web Services (AWS) and Microsoft Azure Blob Storage.

Hardcoded credentials in iOS and Android apps

The Android app "Pic Stitch: Collage Maker" has more than five million installations in the Play Store and contains access data for AWS. The problem can also be found in three popular iOS apps, such as "Crumbl", "Eureka: Earn Money for Surveys" and "Videoshop - Video Editor". "Crumbl" has received almost four million ratings in the Apple Store and is ranked fifth in the "Food and Drink" category. The plain text access data stored in it can be used to configure AWS services, which opens the door to abuse. The URL used as an API endpoint to IoT services in AWS facilitates attacks such as the interception and manipulation of communication and ultimately unauthorized access to the associated AWS resources, Symantec's employees explain. The "Eureka" app has more than 400,000 ratings, while the "Videoshop" app has more than 350,000.

Access data to Azure cloud services can also be found in apps. The Android app "Meru Cabs", for example, has been downloaded more than five million times from the Google Play Store. The embedded connection strings and access keys would expose critical cloud storage space and expose it to potential misuse. At the end of the report, Symantec has collected a table with app names, their download count or rating count and to which cloud system access data is contained.

Symantec also provides tips on how developers can reduce the risk of making sensitive data accessible. This includes, for example, the use of environment variables for access data that are loaded at runtime instead of embedding them in the code. The use of so-called secrets management tools is recommended, such as the AWS Secrets Manager or Azure Key Vault. Sensitive data should be stored with strong encryption if access data needs to be stored in the app and only decrypted at runtime when it is needed.

The warning from identity and access management service provider Okta about increased attacks on log-in data at the end of April this year showed that these are not just theoretical dangers. Attackers attempted to gain access to the services using cracked data.

(dmk)