Security threats from mobile applications continue to be a major risk for developers and users. Cybercriminals often try to exploit vulnerabilities or misconfigurations in the cloud infrastructure of iOS and Android mobile applications, exposing users’ personal information and taking control over other apps on the device.
Despite robust security scans, several malicious apps are still making their way to official app stores. To find any potential vulnerabilities and security loopholes in several mobile applications, cybersecurity firm CloudSEK recently launched BeVigil, a security search engine that helps determine an app’s security posture before installing.
BeVigil’s Analysis
BeVigil found that 0.5% of mobile apps expose Amazon Web Services (AWS) Application Programming Interface (API) keys, leaving users’ sensitive information at high risk. Out of 10,000 apps that were analyzed using BeVigil, the company found more than 40 apps exposing private AWS keys. All 40 apps are popular with over 100 million downloads.
“Given that there are over 8 million apps available across app stores, we estimate that there are thousands of mobile apps exposing AWS keys. With many of these apps catering to millions of users, there needs to be widespread awareness about the risks involved. more than 100 million downloads. CloudSEK has responsibly disclosed these security concerns to AWS and the affected companies independently,” CloudSEK said.
Some of the popular apps that were leaking private AWS keys include: Clubfactory, Adobe Photoshopfix, Adobe Comp, Weather Forecast & Snow Radar, Wholee – Online Shopping Store, Oven Story Pizza, and Hootsuite.
Also Read: How to Secure Your Mobile Apps
Risks Associated with Leaked AWS Keys
Exposed AWS keys offer a pool of possibilities to threat actors to misuse the keys and illicitly obtain access to the app’s cloud infrastructure. “CloudSEK has observed that a wide range of companies — both large and small — that cater to millions of users have mobile apps with API keys that are hardcoded in the app packages. These keys could be easily discovered by malicious hackers or competitors who could use them to compromise their data and networks. While this is not a flaw in AWS, it is evidence of how sloppily AWS keys are handled. So, it is up to individual companies to address the security concerns associated with using AWS services,” CloudSEK added.
Also Read: How to Spot Malicious or Fake Apps