Hardcoded Cloud Credentials Found in Popular Mobile Apps: A Major Security Flaw

23andMe Data Leak

In a recent report by Symantec, a critical security issue has been uncovered in several widely-used mobile applications across both Android and iOS platforms. These apps have been found to contain hardcoded cloud service credentials, exposing users and backend services to significant security risks.

The report reveals that several popular mobile applications have hardcoded and unencrypted Amazon Web Services (AWS) and Microsoft Azure credentials within their source code. This dangerous practice means that attackers who gain access to the app’s binary or source code could easily extract these credentials, enabling unauthorized access to cloud resources, user data, and backend infrastructure.

One particularly concerning example is the Pic Stitch: Collage Maker app, which has over 5 million downloads on the Google Play Store. The app’s source code contains hardcoded AWS credentials that are used to access an Amazon S3 bucket, posing a significant risk of data theft or manipulation. As noted in the report, “If the boolean flag is set to true, the app loads the production credentials, including the production Amazon S3 bucket name, the read and write access keys, and secret keys,” leaving them vulnerable to exploitation.

Hardcoded Cloud Credentials

Pic Stitch hardcoded credentials code | Image: Symantec

Other apps, such as Crumbl, Eureka: Earn Money for Surveys, and Videoshop – Video Editor, also fall victim to this flaw. These apps, which collectively have millions of downloads and stellar user ratings, have been found to hardcode AWS credentials, exposing sensitive cloud resources to potential attacks. For instance, Crumbl’s use of plain-text credentials to configure AWS services, along with a hardcoded WebSocket Secure (WSS) endpoint, poses a significant security risk.

Similarly, on the Android side, apps like Meru Cabs and Sulekha Business have hardcoded Microsoft Azure Blob Storage credentials. The Meru Cabs app, with over 5 million downloads, uses these credentials to manage log uploads. This exposes critical cloud storage resources to potential abuse, making sensitive data highly vulnerable to unauthorized access.

Hardcoding credentials, especially without encryption, leaves apps wide open to attack. According to the report, “Anyone with access to the app’s binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to severe security breaches.” The problem is exacerbated by the widespread use of these apps, putting millions of users at risk.

To address this issue, developers need to adopt better security practices, such as:

  • Use Environment Variables: Store sensitive credentials in environment variables loaded at runtime, rather than embedding them directly in the app’s source code.
  • Implement Secrets Management: Leverage tools like AWS Secrets Manager or Azure Key Vault to securely store and access cloud service credentials.
  • Encrypt Sensitive Data: If credentials must be stored, ensure they are encrypted using strong encryption algorithms, and only decrypt them when needed.
  • Regular Code Reviews and Audits: Periodically review code for security vulnerabilities, such as hardcoded credentials, to mitigate risks early.
  • Automate Security Scanning: Integrate security scanning tools into your CI/CD pipeline to catch potential vulnerabilities during the development process

Related Posts: