Several popular mobile apps, including Pic Stitch, Crumbl, Eureka, and Videoshop, have been found to store AWS credentials directly within their codebases, which exposes sensitive information, such as access keys and secret keys, to potential attackers, compromising the security of these apps and their users.
Crumbl’s code exposes AWS credentials by initializing AWSStaticCredentialsProvider with plain text and a hardcoded WSS endpoint, making it vulnerable to interception.
While the Eureka app stores AWS credentials in plain text within its code, making them vulnerable to exposure, which are used to log events to AWS, potentially granting attackers access to critical cloud resources.
Videoshop embeds unencrypted AWS credentials in its code, making them easily extractable and exploitable, posing a significant security risk, as attackers can gain unauthorized access to the app’s S3 buckets and potentially compromise user data or disrupt services.
Several Android apps have been found to store unencrypted Microsoft Azure Blob Storage credentials directly in their source code, which makes it easy for attackers to extract these credentials and gain unauthorized access to sensitive user data stored in the associated cloud storage.
Meru Cabs’ UploadLogs service inadvertently exposed Azure credentials by hardcoding a connection string into the app, which is used for log uploads, and granted unauthorized access to critical cloud storage resources, posing a significant security risk.
The Sulekha Business app stores hardcoded Azure credentials in its codebase, which are used for various functions, where these credentials are stored in plain-text connection strings, making them vulnerable to unauthorized access and data breaches.
According to Symantec, the ReSound Tinnitus Relief app stores Azure Blob Storage credentials directly within its code, making them vulnerable to unauthorized access and potential data breaches.
This insecure practice exposes the app’s backend resources and user data to risks like data manipulation and exfiltration, emphasizing the importance of adopting more secure credential management strategies.
Hardcoded and unencrypted cloud service credentials in mobile apps pose serious security risks, which can expose critical infrastructure to attacks, endangering user data and backend services.
Given the prevalence of these issues across both the iOS and Android platforms, it is imperative that developers adopt more secure development practices as soon as possible.
To protect sensitive information in mobile apps, developers should use environment variables for credentials, implement secrets management tools, encrypt sensitive data, conduct regular code reviews and audits, and automate security scanning, which helps reduce the risk of exposing credentials and ensures app security.