Hardcoded AWS and Azure Credentials Found in Popular Mobile Apps

android mobile app

In a finding, numerous widely-used mobile applications for both iOS and Android have been discovered containing hardcoded, unencrypted credentials for cloud services like Amazon Web Services (AWS) and Microsoft Azure Blob Storage. This oversight not only compromises user data but also opens the door to significant security vulnerabilities for millions of users.

The Risks of Exposed Credentials

When developers inadvertently embed sensitive credentials directly into their app’s codebase, they create a critical security risk. According to a report from Symantec, a cybersecurity firm under Broadcom, these hardcoded credentials can easily be exploited by malicious actors. Unauthorized access to cloud storage buckets or databases may lead to data manipulation or theft, posing a severe threat to both users and organizations.

As the report states, “This dangerous practice means that anyone with access to the app’s binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to severe security breaches.”

A Disturbing Trend

Symantec’s researchers identified several apps on Google Play that contain these vulnerabilities. Notable examples include:

  • Pic Stitch (5M+ downloads) – Contains hardcoded AWS credentials.
  • Meru Cabs (5M+ downloads) – Contains hardcoded Microsoft Azure Blob Storage credentials.
  • Sulekha Business (500K+ downloads) – Contains hardcoded Microsoft Azure Blob Storage credentials.
  • ReSound Tinnitus Relief (500K+ downloads) – Contains hardcoded Microsoft Azure Blob Storage credentials.
  • Saludsa (100K+ downloads) – Contains hardcoded Microsoft Azure Blob Storage credentials.
  • Chola Ms Break In (100K+ downloads) – Contains hardcoded Microsoft Azure Blob Storage credentials.
  • EatSleepRIDE Motorcycle GPS (100K+ downloads) – Contains hardcoded Twilio credentials.
  • Beltone Tinnitus Calmer (100K+ downloads) – Contains hardcoded Microsoft Azure Blob Storage credentials.

The exposure of these keys raises serious concerns about the security of user data and the potential for data breaches.

Similarly, several popular applications available on Apple’s App Store also exhibit these vulnerabilities:

  • Crumbl (3.9M+ ratings) – Contains hardcoded AWS credentials.
  • Eureka: Earn Money for Surveys (402.1K+ ratings) – Contains hardcoded AWS credentials.
  • Videoshop – Video Editor (357.9K+ ratings) – Contains hardcoded AWS credentials.
  • Solitaire Clash: Win Real Cash (244.8K+ ratings) – Contains hardcoded AWS credentials.
  • Zap Surveys – Earn Easy Money (235K+ ratings) – Contains hardcoded AWS credentials.

While Apple does not display the number of downloads for its apps, the number of ratings usually suggests a much higher user base.

cyber security

Implications for Users

It’s important to note that the presence of these apps on your device does not necessarily indicate that your personal data has been compromised. However, the potential for hackers to access and exfiltrate sensitive information exists if developers do not take immediate action to mitigate these vulnerabilities.

In a previous report from September 2022, Symantec highlighted an alarming trend, finding over 1,800 mobile apps containing AWS credentials, with a staggering 77% having valid access tokens within their codebases. This raises significant questions about the overall security practices in mobile app development.

Best Practices for Developers

To prevent such vulnerabilities from occurring, developers should adhere to established best practices for protecting sensitive information within mobile applications. Here are key recommendations:

  1. Use Environment Variables: Store sensitive credentials in environment variables instead of hardcoding them into the app’s source code.

  2. Implement Secrets Management Tools: Utilize tools like AWS Secrets Manager or Azure Key Vault to securely manage and retrieve credentials.

  3. Encrypt Sensitive Data: Always encrypt sensitive information, both at rest and in transit, to minimize the risk of exposure.

  4. Conduct Regular Code Reviews and Audits: Frequent code reviews can help identify potential security flaws before they become a significant issue.

  5. Integrate Automated Security Scanning: Employ automated tools during the development process to detect sensitive data or other security vulnerabilities early on.

Conclusion

The discovery of hardcoded cloud service credentials in popular mobile apps is a wake-up call for both developers and users. By implementing robust security practices and remaining vigilant, developers can protect user data and prevent potential breaches. Users should remain aware of the apps they use and the data they share, as the security landscape continues to evolve. As the digital world grows, so too must our commitment to maintaining strong security practices to protect sensitive information.

Follow us on x twitter (Twitter) for real time updates and exclusive content.

Scroll to Top