Hundreds of iOS apps could leak AWS credentials

Hundreds of iOS apps could leak AWS credentials

Hundreds of mobile apps have leaked Amazon Web Services (AWS) credentials.

A recent analysis by Symantec (opens in a new tab) identified 1859 publicly available apps, 98% of which are iOS apps, that contain encrypted AWS credentials that could put your data at risk.

The company found that more than three-quarters (77%) of applications contained valid AWS access tokens that allowed access to private services in the AWS Cloud, and almost half (47%) contained valid AWS access tokens. which also provided full access to many, often millions. , of private files through Amazon Simple Storage Service (Amazon S3).

AWS password leaks

According to security researcher Kevin Watkins, some of the reasons for the vulnerabilities include unknown use of vulnerable third-party software libraries and SDKs, outsourcing of application development, and cross-team collaboration that could present many missing and ineffective communication opportunities.

The analysis highlights three concrete examples of affected companies. The first, an anonymous B2B company that provides an intranet and communications platform, provided its customers with a mobile SDK that exposed the keys to the company's cloud infrastructure, exposing things like financial records and private data.

The second example cites a number of iOS banking apps that have outsourced the digital ID and authentication component of their respective apps. Personal data of affected users of this SDK has been exposed, including their names and dates of birth. Additionally, five banking apps leaked more than 300.000 biometric fingerprints.

Finally, a hospitality and entertainment company that partnered with another company to share its technology platform found itself exposing customer and business data from a library used by 16 different apps.

The results of the investigation have been shared with the affected companies, but it is not yet known whether the issues have been resolved with immediate effect.

Via Bleeping Computer (Opens in a new tab)