Sergey Nivens - Fotolia

Popular mobile apps leaking AWS keys, exposing user data

Security researchers at CloudSek discovered approximately 40 popular mobile apps contained hardcoded API secret keys, putting both user information and corporate data at risk.

AWS databases containing user data and other private information are being exposed to the open internet, thanks to hardcoded keys left embedded in mobile apps.

Researchers from CloudSek, a cybersecurity vendor based in India, said that a study of some 8,000 apps found that around 0.5%, or one in every 200 mobile apps, contained hardcoded private keys for the APIs that the apps use to communicate with AWS services.

CloudSek said that of the 10,000 apps it collected through its BeVigil scanning service, around 40 were found to contain hardcoded private security keys for AWS services. It is estimated that those apps have accumulated a total of 100 million downloads and link up with around 5.5 TB of stored data. The secret keys, which are normally scrubbed from apps before they get released to the public, can be found in various places such as XML and configuration files.

The data exposed varies based on what service the secret keys were used with, but anyone who gains possession of them would possibly be able to access the AWS service with administrator or even root privileges. In the worst cases, an outside attacker could pull up S3 storage buckets that would contain a trove of internal data and customer personal information, as well as the developer's AWS account and billing details.

"These buckets were deployed to host files and data generated from various projects," CloudSek said in a whitepaper published last week. "We found application source code, backup files, user reports, test artifacts, user uploads, logs, WordPress backups, user certificates, config files, credential files, and more, distributed across these buckets."

An accompanying blog post noted several companies deactivated the exposed API keys in their apps after being alerted by CloudSek. Those apps include Adobe Comp and Photoshop Fix, Club Factory, Hootsuite and The Weather Channel's Weather Forecast & Snow Radar.

To be clear, this is not an Amazon problem; CloudSek researchers said the fault lies with the developers. AWS best practices instruct developers and administrators not to embed secret API keys into their code and to keep the keys out of the hands of people who should not have them.

When the keys are exposed, they are fairly trivial for attackers to harvest, which is something CloudSek's researchers liken to placing a spare house key in an obvious hiding place where an intruder would be almost certain to look.

"It's a fairly simple process to extract AWS keys. The APK file is an archived package containing source code, libraries, manifests, resources, certificates and assets," CloudSek lead cyberintelligence editor Deepanjli Paulraj told SearchSecurity. "This APK ... can then be decompiled onto Java code using one of the many open source tools available on the internet."

Unfortunately, a significant percentage of app developers are not heeding the warnings, and as a result their end users are being put at risk of data theft.

These sorts of attacks are not just theoretical possibilities. CloudSek noted that exposed AWS API keys were lifted and used by criminals to pull off a 2019 data theft at security vendor Imperva that exposed customer data including 13,000 passwords, 13,500 SSL certificates and 1,400 API keys. Fallout from the incident would eventually end up costing Imperva CEO Chris Hylen his job.

CloudSek said it contacted both AWS and the affected companies before going public with the findings, and the some of the keys found in its study have since been revoked and no longer pose a risk on their own.

However, only 17% of the 40 companies have acknowledged the exposed API keys. In cases where a company does not respond and resolve the issue, Paulraj said CloudSek will notify the Play Store to have the app pulled.

Even with these removal efforts, however, the results of the limited study suggest that there are likely hundreds of thousands of other apps in the wild that are likely to contain private keys.

"Given that there are over 8 million apps available across app stores, we estimate that there are thousands of mobile apps exposing AWS keys," the CloudSek team noted. "With many of these apps catering to millions of users, there needs to be widespread awareness about the risks involved."

Dig Deeper on Application and platform security