by

Mobile Apps Exposing AWS Keys Affect 100M+ Users’ Data

Published White Paper : http://csek.me/Qwmq

0.5% of Mobile Apps on the Internet Expose AWS API Keys

Amazon Web Services (AWS) is the preferred cloud computing platform for enterprises, small businesses, and even governments worldwide. From NASA to Netflix, AWS services and APIs are used by millions of companies for their infrastructure needs, hosting requirements, and to enable their websites and mobile apps. This is why threat actors are constantly looking for ways to compromise a company’s AWS services to get their hands on sensitive information, user data, and internal networks. 

CloudSEK’s BeVigil, a security search engine for mobile apps, has found that 0.5% of mobile apps expose AWS API keys, thus putting their internal networks and data at high risk. 

Critical Flaw in How Mobile App Developers Use AWS

APIs have revolutionised how apps are developed and used. They make it easy for developers to build apps that communicate with multiple sources and efficiently manage data flowing to and from the apps. In the case of AWS, the API acts like a password for the app to access data stored on AWS. In simple words, if AWS is your apartment, where you store critical data and files, the API key unlocks your front door. 

While public API keys, such as that of Facebook and LinkedIn, are intentionally made available for other apps to verify user identities, most apps use private keys that need to be kept secure. However, given the pace at which new versions of apps are released, and the fast pace at which developers work, it is not uncommon for developers to overlook exposed API keys. 

CloudSEK has observed that a wide range of companies — both large and small — that cater to millions of users have mobile apps with API keys that are hardcoded in the app packages. 

These keys could be easily discovered by malicious hackers or competitors who could use it to compromise their data and networks. In fact, multiple recent high-profile hacks, such as the Imperva breach, have leveraged this misconfiguration to compromise cloud infrastructure. Hence, hardcoded API keys are akin to locking your house but leaving the key in an envelope titled “do not open.”

While this is not a flaw in AWS, it is evidence of how sloppily AWS keys are handled. So, it is up to individual companies to address the security concerns associated with using AWS services. 

Identifying Mobile Apps Exposing AWS API Keys

Despite having over 8 million apps to choose from, users, app developers, and security researchers don’t have a mechanism to determine the security posture of mobile apps. To address this gap, CloudSEK launched BeVigil — the world’s first security search engine for mobile apps, in April 2021. 

Given how time-consuming and expensive security reviews can be, developers often skip this step before apps are shipped off to various app stores. And it doesn’t help that end users don’t have any mechanisms to ensure that the apps they install are secure. This leads to user data being breached and then sold on underground forums to the highest bidder. But with BeVigil, users can now ascertain the risk rating of an app, check the list of permissions it requests, and ensure it is not malicious. Moreover, app developers can proactively upload their apps to BeVigil to identify vulnerabilities and remediate them, avoiding any pitfalls before their launch. In addition, security researchers can perform in-depth investigations on millions of apps using their metadata and by searching the app packages for code snippets, keywords, strings, or other expressions that denote vulnerabilities. And the scan reports generated by BeVigil are made available to the global CloudSEK community.

Analysis of 10,000 Apps

In the past month, over 10,000 apps have been uploaded to BeVigil for analysis. Out of which, we found 40+ apps, i.e 0.5% of the apps, had hardcoded private AWS keys. And in total, the 40+ apps have more than 100 million downloads. Given that there are over 8 million apps available across app stores, we estimate that there are thousands of mobile apps exposing AWS keys. With many of these apps catering to millions of users, there needs to be widespread awareness about the risks involved. 

CloudSEK has responsibly disclosed these security concerns to AWS and the affected companies independently. 

Listing some of the popular apps that were exposing private AWS keys. For security reasons we are only listing apps whose keys are deactivated. 

OrganisationApp IDNo. of InstallsCategoryCountry
Clubfactoryclub.fromfactory100,000,000+EcommerceIndia
Adobe Photoshopfixcom.adobe.adobephotoshopfix10,000,000PhotographyUnited States
Adobe Compcom.adobe.comp500,000+Art & DesignUnited States
Weather Forecast & Snow Radarcom.weather.weather100,000,000WeatherUnited States
Wholee – Online Shopping Storecom.wholee1,000,000ShoppingSingapore
Oven Story Pizza in.ovenstory1,000,000Food & DrinkIndia
Hootsuite: com.hootsuite.droid.full5,000,000SocialCanada

Impact of Leaked AWS Keys 

AWS keys hardcoded in a mobile app source code can be a huge problem especially if it’s IAM role has wide scope and permissions. The possibilities for misuse are endless here, since the attacks can be chained, and the attacker can gain further access to the whole infrastructure, even the codebase and config. Below, we discuss one such finding. 

This is an app in playstore with more than half a million downloads that has hardcoded AWS key and secret in it’s strings.xml file.

This key has access to multiple AWS services including ACM (Certificate Manager), ElasticBeanstalk, Kinesis, OpsWorks, S3. We focused on S3 to dig in more to analyse the impact of the exposure. It was discovered that the AWS credentials have access to 88 S3 buckets (read/write).  Collectively these 88 buckets contain 10,073,444 files and the data being exposed sums upto a total of 5.5 Terabytes.

These buckets were deployed to host files and data being generated from projects. We found application source code, backup files, user reports, test artifacts, user uploads, logs, wordpress backup, user certificates, config files, credential files and more distributed across these buckets.

From the application backups, and config files, one can obtain more credentials such as database hostnames, passwords, tokens and further branch out into the running infrastructure. 

Database Config file with plain text password to msql. 

Exposed database accessible using the password. 

About AWS.

AWS, Amazon’s cloud computing system, offering compute power, database storage and allows users to interact with their infrastructure via APIs. These API keys,  based on the permissions set, will have access to multiple functionalities of AWS.

AWS 

When you interact with AWS, you specify your AWS security credentials to verify who you are and whether you have permission to access the resources that you are requesting. AWS uses the security credentials to authenticate and authorize your requests. For example, if you want to download a protected file from an Amazon Simple Storage Service (Amazon S3) bucket, your credentials must allow that access. If your credentials aren’t authorized to download the file, AWS denies your request. However, your AWS security credentials are not required to download a file in an Amazon S3 bucket that is publicly shared.

History of attacks using leaked AWS keys.

WhoWhenWhatLink
AccentureOctober 201740k passwords, tech info, API keysArticle
Fresh Films January, 2020Personal data points exposed included names, postal and email addresses, phone numbers, birth dates and bank details, as well as passport scans and the National Insurance numbers of some.Article
Dow Jones & CompanyJuly, 2017Sensitive personal and financial details of ~2M customersArticle
UpstoxApril 2021Hacker group ShinyHunters leaked 25 lakh users and 5.6 crores of Know Your Customer (KYC) data. Multiple other high profiles hacks by ShinyHunters used the same technique. Find leaked AWS keys from leaked source codes, mobile apps, Article
VerizonJuly 2017Personal data of 14 million Verizon customersArticle
WWEJuly 2017Personal information of 3M customersArticle
Uber

October 2016Personal information of 57 million users worldwide, including 600,000 U.S. driversArticle

How AWS keys work

AWS keys allow programmatic access to AWS services without the user having to login into the AWS login panel. The AWS keys will have the same permissions as the IAM user being used to generate the key. Normally, temporary keys are generated with very narrow privileges and are short-lived. Temporary access keys are used for usage in insecure environments. 

Why were these keys hardcoded in the APK

  • Accessing static files from s3 buckets to show them in the mobile app, even though the keys are not required for this operation.
  • uploading data collected from the app user to s3 
  • Sending mails via the AWS SES service

The ideal way to use AWS keys

When you use AWS programmatically, you provide your AWS access keys so that AWS can verify your identity in programmatic calls. Your access keys consist of an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/ bPxRfiCYEXAMPLEKEY). Anyone who has your access keys has the same level of access to your AWS resources that you do.

AWS has a documentation on how to access your resources with your keys securely. The fundamental security practice is not to hardcode them anywhere. 

https://docs.aws.amazon.com/general/latest/gr/aws-general.pdf#aws-access-keys-best-practices

What to Do If You Inadvertently Expose an AWS Access Key

Revoke/Delete an access key –

https://aws.amazon.com/premiumsupport/knowledge-center/delete-access-key/

About CloudSEK 

CloudSEK is an AI-driven Digital Risk Management Enterprise. CloudSEK’s XVigil platform help clients assess their security posture in real-time from the perspective of an attacker. XVigil scours thousands of sources (across the surface, deep and dark web), to detect cyber threats, data leaks, brand threats, identity thefts, etc. To learn more about how the CloudSEK XVigil platform can strengthen your external security posture and deliver value from Day 1, visit https://cloudsek.com/ or drop a note to [email protected]

Write a Comment

Comment

Webmentions

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys – Cyber Briefs

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - Cyber Freakz | Tech News

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • 40 Mobile Apps with Over 100 Mn Downloads Found Leaking AWS… - duckduck WHO ?

    […] found that 0.5% of mobile apps expose Amazon Web Services (AWS) Application Programming Interface (API) […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys – 1stCyberSecurity.Com

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Leaked AWS switches are reported in more than 40 applications with more than 100 applications installed - Tech Info Newz

    […] report recently shared with The Hacker News revealed how the Beagle’s search engine identified more […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - Cyber Security Reviews

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - Daily Updates USA

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys | Blog

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • TeamYMZ Media | Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With Extra Than 100 Million Installs Discovered Leaking AWS Keys – #HashtagNerdBag

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - News Nation USA

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - NY Press News

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys – Hacking and Programming

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - LA Times Now

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - Article Resort

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys – Hacker Observer

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - WP Guy News

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - Tech News

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Plus de 40 applications avec plus de 100 millions d’installations ont détecté des fuites de clés AWS – Actualités cybersécurité

    […] dernière rapport partagé avec The Hacker News a détaillé comment le moteur de recherche BeVigil a identifié plus […]

  • More than 40 apps with over 100 million install Leak AWS Keys | TechnoidHost

    […] to CloudSEK, AWS keys hardcoded into a mobile app source code can be an issue. Especially if its “Identity […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys | e-Shielder Security News

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys – Cyber Chapters

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - Cyber Security

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys • Summary networks

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys – NuclearCoffee

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys | Technology First News

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys – Auto Translate News

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys – Swapupdate

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys – McHugo.com

    […] contemporary report shared with The Hacker Information detailed how the BeVigil search engine recognized over 40 apps […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys | Static Networks

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With Extra Than 100 Million Installs Discovered Leaking AWS Keys – Etechrv

    […] contemporary report shared with The Hacker Information detailed how the BeVigil search engine recognized over 40 apps […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - OS.Report

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys – Zoxy

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - Business Mayor

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Plus De 40 Applications Avec Plus De 100 Millions D'installations Ont Détecté Des Fuites De Clés AWS - Tech Tribune France

    […] dernière rapport partagé avec The Hacker News a détaillé comment le moteur de recherche BeVigil a identifié plus […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - Times News Express

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys – Cyberthoth

    […] contemporary report shared with The Hacker News detailed how the BeVigil search engine recognized over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - Washington latest

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - RECON Technologies

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - IT LinesIT Lines

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - duckduck WHO ?

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - WiredFocus

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - BEKER

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – […]

  • Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys - SecuritNEWS

    […] latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps – with […]