Man
Professional
- Messages
- 3,051
- Reaction score
- 577
- Points
- 113
Development bugs allow hackers to easily access sensitive data in the cloud.
Symantec has identified a serious security issue in a number of popular mobile applications for iOS and Android. Unencrypted and hard-coded credentials were found in the application code to access Amazon Web Services (AWS) and Microsoft Azure Blob Storage, creating risks of unauthorized access to user data and source code.
Symantec specialists note that the problem arose due to errors at the application development stage. Including data directly into the application code allows anyone with access to the binary or source code to infiltrate the internal infrastructure and steal user data. Attackers can use the keys to gain unauthorized access to vaults, as well as databases that contain confidential information.
For example, the 'Pic Stitch: Collage Maker' app, which has been downloaded more than 5 million times on Google Play, contains hardcoded AWS credentials. A function has been discovered in the code that is responsible for selecting the necessary data depending on the environment of use. Attackers can gain access to S3 storage keys and manipulate data without restriction.
Similar problems were found in the iOS apps Crumbl, Eureka and Videoshop. In the Crumbl application, which has millions of ratings on the Apple Store, static keys were found to access AWS IoT services via WebSocket Secure (WSS). Such a configuration error creates serious risks for data and infrastructure.
The Eureka application uses AWS to log events, and its keys are also stored in plain text. The Videoshop app doesn't encrypt the keys you need to interact with S3, making it easy for unauthorized access.
Hardcoded credential issues have also been found in applications running with Azure Blob Storage. For example, the Meru Cabs app, which has been downloaded more than 5 million times, stores a connection string with cloud storage access keys in the code. Similar problems have been reported in Sulekha Business, where keys are used to manage profiles and billing, as well as in ReSound Tinnitus Relief, which works with audio files.
The presence of these applications on the device does not mean that the user's data has already been compromised. However, in the absence of changes on the part of the developers, cybercriminals can exploit vulnerabilities and gain access to information.
To protect your data, we recommend following a number of best practices:
Storing keys in environment variables instead of embedding them in code.
Use secret managers such as AWS Secrets Manager or Azure Key Vault.
Encrypt data and decrypt it only at runtime.
Periodic security audits and code reviews.
Integration of automated security tools into the development process.
Following these best practices can help minimize risk and improve application security. The incidents identified in these examples highlight the importance of prioritizing security throughout the development process.
Symantec has identified a serious security issue in a number of popular mobile applications for iOS and Android. Unencrypted and hard-coded credentials were found in the application code to access Amazon Web Services (AWS) and Microsoft Azure Blob Storage, creating risks of unauthorized access to user data and source code.
Symantec specialists note that the problem arose due to errors at the application development stage. Including data directly into the application code allows anyone with access to the binary or source code to infiltrate the internal infrastructure and steal user data. Attackers can use the keys to gain unauthorized access to vaults, as well as databases that contain confidential information.
For example, the 'Pic Stitch: Collage Maker' app, which has been downloaded more than 5 million times on Google Play, contains hardcoded AWS credentials. A function has been discovered in the code that is responsible for selecting the necessary data depending on the environment of use. Attackers can gain access to S3 storage keys and manipulate data without restriction.
Similar problems were found in the iOS apps Crumbl, Eureka and Videoshop. In the Crumbl application, which has millions of ratings on the Apple Store, static keys were found to access AWS IoT services via WebSocket Secure (WSS). Such a configuration error creates serious risks for data and infrastructure.
The Eureka application uses AWS to log events, and its keys are also stored in plain text. The Videoshop app doesn't encrypt the keys you need to interact with S3, making it easy for unauthorized access.
Hardcoded credential issues have also been found in applications running with Azure Blob Storage. For example, the Meru Cabs app, which has been downloaded more than 5 million times, stores a connection string with cloud storage access keys in the code. Similar problems have been reported in Sulekha Business, where keys are used to manage profiles and billing, as well as in ReSound Tinnitus Relief, which works with audio files.
The presence of these applications on the device does not mean that the user's data has already been compromised. However, in the absence of changes on the part of the developers, cybercriminals can exploit vulnerabilities and gain access to information.
To protect your data, we recommend following a number of best practices:
Storing keys in environment variables instead of embedding them in code.
Use secret managers such as AWS Secrets Manager or Azure Key Vault.
Encrypt data and decrypt it only at runtime.
Periodic security audits and code reviews.
Integration of automated security tools into the development process.
Following these best practices can help minimize risk and improve application security. The incidents identified in these examples highlight the importance of prioritizing security throughout the development process.
