[MART] - Daily Diary #587 - SDKs Exposing AWS Credentials

ctas-mat at appgate.com ctas-mat at appgate.com
Fri Sep 2 21:14:29 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

09/02/2022 - Diary entry #587:

Embedding hardcoded credentials in your application can be a very serious vulnerability. It’s common practice to add those in your code during the development process, but when the product is released with those, it’s a real problem – the vulnerability relies on the fact that an attacker can reverse engineer the app to retrieve the hardcoded credential, and use that to perform activities the application would not. This is even more critical when launched inside SDKs, since multiple applications in the wild can carry the hardcoded credential.

In a recent research, more than 1,000 iOS apps were found to be exposing encrypted AWS credentials. Most of those apps carried a vulnerable SDK with hardcoded credentials. More than three-quarters of them contained valid AWS access tokens that could be used to directly access private cloud services. In some cases, the token allowed access to a shared database with private data of all clients using the application with the embedded SDK.

Although it’s a common mistake, companies should add security scanning solutions to their automated deployment solutions, to detect whenever a sensitive credential is pushed to production. In case a credential leak is detected – like in the SDKs from the research – it’s important to immediately remove all permissions associated (since older versions can be reverse engineered to recover this credential) and coordinate with the clients a release with a new fixed version.

Kind Regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220902/f31f8769/attachment.htm>

More information about the MART mailing list