The Symantec Danger Hunter team discovered 1859 applications on Android and iOS that contained hard-coded Amazon Web Expert services (AWS). They obtain tokens that allowed access to personal AWS credentials.

Around half of all the apps examined by the security researchers used the same AWS tokens discovered in other applications. These are managed by other developers and companies.

“The AWS entry tokens could be traced to a shared library, third-party software programme development package (SDK), or other shared element used in developing the applications,” according to the advisory, which dubbed the discovery a critical offer chain vulnerability.

The Issue

Symantec explains developers use difficult-coded obtain keys, citing the need for downloading or uploading property and sources required for the app. They typically substantial media files, accessing configuration data files for the application, and accessing cloud solutions that require authentication.

The security team also shared findings related to specific situation scientific studies. They were relevant to an intranet system, various iOS banking applications, and an online gaming technology system, respectively. Extra information about each of them can be found here.

The Symantec Threat Hunter team provided a set of recommendations to assist businesses to avoid supply chain issues.

“Adding security scanning solutions to the application development lifecycle and, if using an outsourced supplier, requiring and examining Cellular Application Report Cards. They can identify any unwanted app behaviors or vulnerabilities for each release of a cell app. This can be helpful in highlighting potential issues,” the team wrote.

“As an application developer, look for a report card that scans your software’s SDKs and frameworks and identifies the source of any vulnerabilities or undesirable behaviors.”

For context, AWS technologies were also in the spotlight earlier this year when a Turkish airline unintentionally leaked the personal information of flight crew members, as well as resource code and flight knowledge, due to a misconfigured AWS bucket.

Not long ago, Amazon fixed a critical vulnerability in its Shots Android app.

Reference