Unencrypted access keys for Amazon Cloud in thousands of apps

unencrypted access keys for amazon cloud in thousands of apps.jpg
unencrypted access keys for amazon cloud in thousands of apps.jpg

Security researchers warn against unencrypted access tokens in apps. Developers often bring problems into the house unintentionally. Particularly affected: iOS apps.


Security researchers from the software manufacturer Symantec point out the danger of unencrypted stored access data for cloud services in apps. For 1,859 publicly available apps – 98 percent of them for iOS – they found access tokens for Amazon Web Services (AWS), which enabled access to cloud data far beyond the intended purpose. In a large number of cases, app developers got this vulnerability into their programs by using external software libraries.


More than three-quarters of apps (77 percent) contained Amazon cloud access keys written in plain text in code, allowing access to private cloud data. Almost half (47 percent) of these access tokens even allowed access to millions of private files stored in the Amazon Simple Storage Service (Amazon S3).

According to the analysis by the security researchers, the high level of proliferation of the problems is often due to the fact that the developers of mobile apps unintentionally bring the problems in-house by integrating external software libraries and software development kits (SDKs). The commissioning of external service providers or companies that develop various apps and reuse code parts is one reason why the security gap is not only encountered in isolated cases. Evidence of this is that 53 percent of the apps examined contained the same AWS Access Token, even though the apps came from different developers and companies. An SDK that was used by all apps was identified as the cause.

Developers who integrate cloud services or APIs themselves should ensure that they are not stored in plain text and that access rights are set in such a way that no access to data is possible beyond the actual purpose.

The security researchers cite several concrete examples of the risks emanating from what appears to be minor negligence. The mobile SDK, for example, allowed an intranet and communication platform to access all private customer data of the platform users through a stored token. Files from 15,000 medium-sized and large companies were thus unprotected. In this case, there was a failure to restrict access to the access token, which was only deposited to use translation services in Amazon’s cloud.

The researchers also found what they were looking for in several online banking apps, all of which used the same SDK to verify the identity of users. As a result, 300,000 biometric digital fingerprints stored in the cloud were completely unprotected. In the case of a platform for online betting, read and write access to customer and company data could be obtained using the unencrypted access key. The companies whose code caused the problems were then informed by Symantec about the problems.

Previous article#TGIQF – The quiz about curious IFA gadgets
Next articleTanzu: VMware goes Kubernets
Brian Adam
Professional Blogger, V logger, traveler and explorer of new horizons.