"Over 1,000 iOS Apps Found Exposing Hardcoded AWS Credentials"

Mobile app developers are using insecure practices that expose Amazon Web Services (AWS) credentials, making the supply chain vulnerable. Malicious actors could use this to gain access to private databases, resulting in data breaches and the exposure of customers' personal information. Symantec's Threat Hunting team discovered 1,859 applications with hard-coded AWS credentials, most of which are iOS apps, and only 37 are Android apps. About 77 percent of those applications had valid AWS access tokens that could be used to gain direct access to private cloud services. Furthermore, 874 applications contained valid AWS tokens, which hackers could use to gain access to cloud instances containing live-service databases with millions of records. Depending on the type of app, these databases typically contain user account details, logs, internal communication, registration information, and other sensitive data. The problem with hard-coded and forgotten cloud service credentials is a supply chain issue, as an SDK developer's negligence can affect an entire collection of apps and services that rely on it. Because mobile app development relies on pre-made components rather than creating everything from scratch, a security risk is likely to infiltrate their project if app publishers do not thoroughly vet the SDKs or libraries they use. Developers hard-coding credentials in their products do so for convenience during the development and testing process, as well as to avoid proper code review for security issues. This article continues to discuss Symantec's discovery of mobile app supply chain vulnerabilities. 

Bleeping Computer reports "Over 1,000 iOS Apps Found Exposing Hardcoded AWS Credentials"