Unencrypted AWS Access Keys found in Mobile Apps – What Happened And How It Could’ve Been Avoided
Security researchers from the software manufacturer Symantec have found unencrypted AWS access keys in almost 1,900 smartphone apps in the public domain.
Security researchers at Symantec found almost 1,900 publicly available smartphone apps (including mobile banking applications) with easily accessible unencrypted access keys, allowing them to access backend app data and private customer data. Within the 1,859 publicly available apps – 98% of them for iOS – the team of researchers found access tokens for amazon Web Services (AWS), which enabled access to a plethora of Amazon cloud data. Files belonging to 15,000 medium and large enterprises were discovered, alongside 300,000 biometric fingerprints.
Developers using AWS had put access tokens in clear text (entirely unencrypted) in source code, allowing anyone with the right knowledge and understanding of access keys to use them to access backend data on Amazon cloud. Not only this, but access to this data or the Amazon cloud was in many of those cases not restricted by any access management system or user identification process, meaning the researchers weren’t just able to access the data easily, but they could also modify and delete it, throwing into question the integrity of all data stored within the affected apps and institutions.
Although the access keys in this case were explicitly found within mobile applications, they could all be used to access data stored in AWS. The question is, if you’re currently hosting with AWS, how do you ensure you aren’t falling foul of the same mistakes these developers made?
Well thankfully, if you do want to secure your AWS or any other public cloud hosting, there are lots of solutions on the market that can help you do that. Below are a few of the solutions you can adopt to keep your data safe…
– Firstly, you could use the CyberArk Cloud Entitlements Manager to gain an overall view of your permissions and access. This would help you to remove any excess permissions that are no longer required right across your cloud footprint.
– Secondly, you should secure your access keys. This step doesn’t necessarily require a program, but it does require you to ensure that they are not stored in source code in clear text! If you must store your access keys in source code, ensure they are encrypted.
– If you are an app developer hosting through AWS, a possible solution to secure any secrets in your CI/CD pipelines could be CyberArk’s new Secrets Hub. The recently launched “Secrets Hub for AWS Secrets Manager” removes secrets from your application and replaces them with API’s, simplifying the developer experience and ensuring one centralised security policy can be carried out across the entire enterprise.
– Finally, you also need to think about access management. If a hacker does manage to decrypt your access keys, how do you ensure that they do not have the permissions required to access and/or modify your data? Identity and access management are hot topics in the cyber security space right now and, at Infosec K2K, it is one of our core specialities. Find out more about how we can help you to control user access to your data here.
Looking for support assessing, improving or implementing your cyber security solutions? You’re in the right place.
Get in touch with us to find out more about how we can help you.