Our Blog

Unencrypted AWS Access Keys found in Mobile Apps – What Happened And How It Could’ve Been Avoided

Security researchers from the software manufacturer Symantec have found unencrypted access keys in almost 1,900 smartphone apps in the public domain.

What Happened

Security researchers at Symantec found almost 1,900 publicly available smartphone apps (including mobile banking applications) with easily accessible unencrypted access keys, allowing them to access backend app data and private customer data. Within the 1,859 publicly available apps – 98% of them for iOS – the team of researchers found access tokens for amazon Web Services (AWS), which enabled access to a plethora of Amazon cloud data. Files belonging to 15,000 medium and large enterprises were discovered, alongside 300,000 biometric fingerprints.

How It Happened

Developers using AWS had put access tokens in clear text (entirely unencrypted) in source code, allowing anyone with the right knowledge and understanding of access keys to use them to access backend data on Amazon cloud. Not only this, but access to this data or the Amazon cloud was in many of those cases not restricted by any access management system or user identification process, meaning the researchers weren’t just able to access the data easily, but they could also modify and delete it, throwing into question the integrity of all data stored within the affected apps and institutions.

The Solution That Could Have Stopped It

Although the access keys in this case were explicitly found within mobile applications, they could all be used to access data stored in AWS. The question is, if you’re currently hosting with AWS, how do you ensure you aren’t falling foul of the same mistakes these developers made?

Well thankfully, if you do want to secure your AWS or any other public cloud hosting, there are lots of solutions on the market that can help you do that. Below are a few of the solutions you can adopt to keep your data safe…

– Firstly, you could use the CyberArk Cloud Entitlements Manager to gain an overall view of your permissions and access. This would help you to remove any excess permissions that are no longer required right across your cloud footprint.

– Secondly, you should secure your access keys. This step doesn’t necessarily require a program, but it does require you to ensure that they are not stored in source code in clear text! If you must store your access keys in source code, ensure they are encrypted.

– If you are an app developer hosting through AWS, a possible solution to secure any secrets in your CI/CD pipelines could be CyberArk’s new Secrets Hub. The recently launched “Secrets Hub for AWS Secrets Manager” removes secrets from your application and replaces them with API’s, simplifying the developer experience and ensuring one centralised security policy can be carried out across the entire enterprise.

– Finally, you also need to think about access management. If a hacker does manage to decrypt your access keys, how do you ensure that they do not have the permissions required to access and/or modify your data? Identity and access management are hot topics in the cyber security space right now and, at Infosec K2K, it is one of our core specialities. Find out more about how we can help you to control user access to your data here.

Looking for support assessing, improving or implementing your cyber security solutions? You’re in the right place. To speak to our team of expert cyber security partners, fill out the form here or send us an email at [email protected].


Our Blog

The Uber Hack: What We Can Learn From The Latest High-Profile Cyber Attack

The world’s number 1 taxi app was hit by a rather serious cyber security attack recently. But what really happened and what can we learn from it?

Last week, it was revealed that Mobility as a Service provider Uber was hit with a high-profile cyber attack that has left the company’s reputation at serious risk. In today’s blog we’re exploring exactly how the attack took place, how it could have been avoided, and what we (as IT teams, cyber security experts and business owners) can learn from it.

What Happened?

Allegedly, a young hacker was able to download HackerOne vulnerability reports and view and screenshot almost all of the company’s internal systems (including emails, Slack messages, the company’s security software and Windows domain).

The hacker is said to have breached Uber through a social engineering attack (an attack that utilises psychological manipulation to coerce a user into performing certain actions or divulging confidential information) on an employee. They launched what is known as an MFA Fatigue attack – whereby a hacker almost has access to a user’s account but is blocked by multi-factor authentication. The attacker then spams the employee with multi-factor authentication requests until they become tired of seeing them and accept them. In this case, they completed the process by contacting the employee, claiming to be Uber IT and asking that they accept the request. The employee did as they were told, providing the hacker with access to the company’s intranet.

Once on the intranet, the hacker claims to have found a PowerShell script containing plain text admin credentials for the company’s Thycotic privileged access management (PAM) platform.

This was then used to access logins for the company’s other internal services, including app sourcecode and databases.

What Can We Learn From It?

Well, in this case, the lessons are fairly simple.

1. Even if your business has a PAM solution in place, you will still require secure program enforcement to ensure all attack vectors are closed (even those that arise due to the introduction of a PAM solution, such as the one used to exploit Uber).


2. Never ever store your (privileged) credentials anywhere in clear text, especially not in automation scripts. Use encryption and/or dedicated solutions for secrets management, instead.

Don’t Let It Happen To You

You’ve worked far too hard to let your business (or the business you work for) fall victim to a cyber attack.

At Infosec K2K, we know what it takes to keep your business safe from the threats of today and those of the future. Get in touch today to find out how we can help.