Published White Paper : http://csek.me/Qwmq
0.5% of Mobile Apps on the Internet Expose AWS API Keys
Amazon Web Services (AWS) is the preferred cloud computing platform for enterprises, small businesses, and even governments worldwide. From NASA to Netflix, AWS services and APIs are used by millions of companies for their infrastructure needs, hosting requirements, and to enable their websites and mobile apps. This is why threat actors are constantly looking for ways to compromise a company’s AWS services to get their hands on sensitive information, user data, and internal networks.
CloudSEK’s BeVigil, a security search engine for mobile apps, has found that 0.5% of mobile apps expose AWS API keys, thus putting their internal networks and data at high risk.
Critical Flaw in How Mobile App Developers Use AWS
APIs have revolutionised how apps are developed and used. They make it easy for developers to build apps that communicate with multiple sources and efficiently manage data flowing to and from the apps. In the case of AWS, the API acts like a password for the app to access data stored on AWS. In simple words, if AWS is your apartment, where you store critical data and files, the API key unlocks your front door.
While public API keys, such as that of Facebook and LinkedIn, are intentionally made available for other apps to verify user identities, most apps use private keys that need to be kept secure. However, given the pace at which new versions of apps are released, and the fast pace at which developers work, it is not uncommon for developers to overlook exposed API keys.
CloudSEK has observed that a wide range of companies — both large and small — that cater to millions of users have mobile apps with API keys that are hardcoded in the app packages.
These keys could be easily discovered by malicious hackers or competitors who could use it to compromise their data and networks. In fact, multiple recent high-profile hacks, such as the Imperva breach, have leveraged this misconfiguration to compromise cloud infrastructure. Hence, hardcoded API keys are akin to locking your house but leaving the key in an envelope titled “do not open.”
While this is not a flaw in AWS, it is evidence of how sloppily AWS keys are handled. So, it is up to individual companies to address the security concerns associated with using AWS services.
Identifying Mobile Apps Exposing AWS API Keys
Despite having over 8 million apps to choose from, users, app developers, and security researchers don’t have a mechanism to determine the security posture of mobile apps. To address this gap, CloudSEK launched BeVigil — the world’s first security search engine for mobile apps, in April 2021.
Given how time-consuming and expensive security reviews can be, developers often skip this step before apps are shipped off to various app stores. And it doesn’t help that end users don’t have any mechanisms to ensure that the apps they install are secure. This leads to user data being breached and then sold on underground forums to the highest bidder. But with BeVigil, users can now ascertain the risk rating of an app, check the list of permissions it requests, and ensure it is not malicious. Moreover, app developers can proactively upload their apps to BeVigil to identify vulnerabilities and remediate them, avoiding any pitfalls before their launch. In addition, security researchers can perform in-depth investigations on millions of apps using their metadata and by searching the app packages for code snippets, keywords, strings, or other expressions that denote vulnerabilities. And the scan reports generated by BeVigil are made available to the global CloudSEK community.
Analysis of 10,000 Apps
In the past month, over 10,000 apps have been uploaded to BeVigil for analysis. Out of which, we found 40+ apps, i.e 0.5% of the apps, had hardcoded private AWS keys. And in total, the 40+ apps have more than 100 million downloads. Given that there are over 8 million apps available across app stores, we estimate that there are thousands of mobile apps exposing AWS keys. With many of these apps catering to millions of users, there needs to be widespread awareness about the risks involved.
CloudSEK has responsibly disclosed these security concerns to AWS and the affected companies independently.
Listing some of the popular apps that were exposing private AWS keys. For security reasons, we are only listing apps whose keys are deactivated.
| Organisation | App ID | No. of Installs | Category | Country |
|---|---|---|---|---|
| Clubfactory | club.fromfactory | 100,000,000+ | Ecommerce | India |
| Adobe Photoshopfix | com.adobe.adobephotoshopfix | 10,000,000 | Photography | United States |
| Adobe Comp | com.adobe.comp | 500,000+ | Art & Design | United States |
| Weather Forecast & Snow Radar | com.weather.weather | 100,000,000 | Weather | United States |
| Wholee – Online Shopping Store | com.wholee | 1,000,000 | Shopping | Singapore |
| Oven Story Pizza | in.ovenstory | 1,000,000 | Food & Drink | India |
| Hootsuite: | com.hootsuite.droid.full | 5,000,000 | Social | Canada |
Impact of Leaked AWS Keys
AWS keys hardcoded in a mobile app source code can be a huge problem especially if its IAM role has wide scope and permissions. The possibilities for misuse are endless here since the attacks can be chained, and the attacker can gain further access to the whole infrastructure, even the codebase, and config. Below, we discuss one such finding.
This is an app in Playstore with more than half a million downloads that have hardcoded AWS key and secret in its strings.xml file.
This key has access to multiple AWS services including ACM (Certificate Manager), ElasticBeanstalk, Kinesis, OpsWorks, S3. We focused on S3 to dig in more to analyze the impact of the exposure. It was discovered that the AWS credentials have access to 88 S3 buckets (read/write). Collectively these 88 buckets contain 10,073,444 files and the data being exposed sums up to a total of 5.5 Terabytes.
These buckets were deployed to host files and data being generated from projects. We found application source code, backup files, user reports, test artifacts, user uploads, logs, WordPress backup, user certificates, config files, credential files, and more distributed across these buckets.
From the application backups and config files, one can obtain more credentials such as database hostnames, passwords, tokens, and further branch out into the running infrastructure.
Database Config file with plain text password to msql.
Exposed database accessible using the password.
About AWS.
AWS, Amazon’s cloud computing system, offering to compute power, database storage and allows users to interact with their infrastructure via APIs. These API keys, based on the permissions set, will have access to multiple functionalities of AWS.
AWS
When you interact with AWS, you specify your AWS security credentials to verify who you are and whether you have permission to access the resources that you are requesting. AWS uses the security credentials to authenticate and authorize your requests. For example, if you want to download a protected file from an Amazon Simple Storage Service (Amazon S3) bucket, your credentials must allow that access. If your credentials aren’t authorized to download the file, AWS denies your request. However, your AWS security credentials are not required to download a file in an Amazon S3 bucket that is publicly shared.
History of attacks using leaked AWS keys.
| Who | When | What | Link |
|---|---|---|---|
| Accenture | October 2017 | 40k passwords, tech info, API keys | Article |
| Fresh Films | January 2020 | Personal data points exposed included names, postal and email addresses, phone numbers, birth dates, and bank details, as well as passport scans and the National Insurance numbers of some. | Article |
| Dow Jones & Company | July 2017 | Sensitive personal and financial details of ~2M customers | Article |
| Upstox | April 2021 | Hacker group ShinyHunters leaked 25 lakh users and 5.6 crores of Know Your Customer (KYC) data. Multiple other high-profile hacks by ShinyHunters used the same technique. Find leaked AWS keys from leaked source codes, mobile apps, | Article |
| Verizon | July 2017 | Personal data of 14 million Verizon customers | Article |
| WWE | July 2017 | Personal information of 3M customers | Article |
| Uber | October 2016 | Personal information of 57 million users worldwide, including 600,000 U.S. drivers | Article |
How AWS keys work
AWS keys allow programmatic access to AWS services without the user having to login into the AWS login panel. The AWS keys will have the same permissions as the IAM user being used to generate the key. Normally, temporary keys are generated with very narrow privileges and are short-lived. Temporary access keys are used for usage in insecure environments.
Why were these keys hardcoded in the APK
- Accessing static files from s3 buckets to show them in the mobile app, even though the keys are not required for this operation.
- uploading data collected from the app user to s3
- Sending mails via the AWS SES service
The ideal way to use AWS keys
When you use AWS programmatically, you provide your AWS access keys so that AWS can verify your identity in programmatic calls. Your access keys consist of an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/ bPxRfiCYEXAMPLEKEY). Anyone who has your access keys has the same level of access to your AWS resources that you do.
AWS has documentation on how to access your resources with your keys securely. The fundamental security practice is not to hardcode them anywhere.
https://docs.aws.amazon.com/general/latest/gr/aws-general.pdf#aws-access-keys-best-practices
What to Do If You Inadvertently Expose an AWS Access Key
Revoke/Delete an access key –
https://aws.amazon.com/premiumsupport/knowledge-center/delete-access-key/
About CloudSEK
CloudSEK is an AI-driven Digital Risk Management Enterprise. CloudSEK’s XVigil platform help clients assess their security posture in real-time from the perspective of an attacker. XVigil scours thousands of sources (across the surface, deep and dark web), to detect cyber threats, data leaks, brand threats, identity thefts, etc. To learn more about how the CloudSEK XVigil platform can strengthen your external security posture and deliver value from Day 1, visit https://cloudsek.com/ or drop a note to [email protected]