The App Store and Google Play Store offer a treasure trove of applications. Those themselves regularly present an additional gift for cybercriminals: hard-coded credentials for AWS and Azure Blob Storage.
The problem is raised by two researchers at Broadcom’s Symantec Security Technology & Response, Yuanjing Guo and Tommy Dong. “This dangerous practice means that anyone with access to the app’s binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to severe security breaches”, the duo says.
The consequences could be severe, such as deleting or manipulating backend services or leaking proprietary data. In addition, attackers could misuse the credentials to steal user data, as it could also reside in AWS or Azure Blob Storage.
AWS and Azure leaks
The leaked credentials are the result of lacklustre coding practices, according to the examples. After all, an Android app with 5 million downloads loads the AWS credentials for an Amazon S3 bucket used in production. With minimal key work, the app in question loads the staging credentials, meant for testing the app.
Elsewhere, app developers are making it even easier for malicious actors. An iOS app with 3.9 million ratings and high placement in its own category contains plaintext credentials, including an access key and secret key. Other apps also connect to AWS via hardcoded credentials, a practice described by Symantec researchers as a “severe risk.”
The AWS leak is not unique; Azure Blob Storage is also exposed. Again, incidents around that service involve hard-coded data within apps with millions or hundreds of thousands of downloads. Sometimes it involves a leak in the binary itself, which makes detection child’s play.
Convenience over security?
This trend reveals two things. First, the trend pointed out by the Symantec researchers is obvious. Apparently, it is a habit among many an app developer to implement credentials in this way, effectively as if they were a public API key.
At the same time, there is a lack of standardization, as the methodology varies considerably. Sometimes it involves connection strings in which credentials are hidden, but regularly it involves plaintext data within the binary that should have always been under lock and key.
Symantec researchers are calling for a move to more secure coding techniques. For example, environment variables load at runtime and don’t leak sensitive credentials into the code itself. Also, developers should simply take advantage of the help already provided by AWS (via Secrets Manager) or Microsoft (via Azure Key Vault). Likewise, encryption is often absent where it’s painfully obvious that it ought to be used.
In a broader sense, there is clearly a lack of code reviews/audits and automated security scans. Therefore, Symantec recommends that development teams apply these techniques to detect any problems early on. In addition, the use of security apps is recommended, and not surprisingly Symantec recommends Symantec Endpoint Protection to alleviate the issue.
Also read: Attackers sneak past security tools with login credentials