Researchers at Symantec warn of hard-coded credentials in mobile apps. The security company discovered access tokens for AWS environments in nearly 2,000 apps for iOS and Android.
Hard-coded credentials are referenced in the source code of software. The credentials typically allow an application to connect to a secure, remote storage site or app. Hard-coded credentials are dangerous in public applications. Once the source code leaks, the credentials are up for grabs.
During a recent analysis, security firm Symantec found login credentials for AWS environments in nearly 2,000 iOS and Android apps. About three-quarters contained AWS access tokens for private cloud environments. Nearly 900 exposed AWS access tokens for cloud instances with databases holding millions of records, including user data and logs.
Two of the cases were particularly risky. The first example is the app of a communications service provider with more than 15,000 large customers. The organization provides customers with a software development kit (SDK). The SDK exposes various AWS access tokens. The data breach of a single customer can prove fatal for the service provider.
The second example is an SDK used by the apps of multiple banks. The SDK contains hard-coded login credentials for cloud storage locations containing customers’ personal data. Names, dates of birth and even fingerprints were exposed.
Developers are typically unaware of hard-coded data exposure. According to Symantec, credentials often linger when applications move from a development environment to production. Apps use access tokens to connect to external data and apps, like configuration files and translation services. Once the app moves to a production environment, the access tokens should be hidden or removed. The latter is forgotten too often.