Hardcoded credentials for cloud services like Amazon Web Services (AWS) and Microsoft Azure Blob Storage have been found in multiple popular mobile applications for iOS and Android, leaving millions of users’ data exposed to security breaches. These unencrypted credentials can be easily accessed by anyone with the app’s code or binary, allowing hackers to manipulate or steal sensitive user information.
Symantec, a Broadcom company, has reported this trend, citing errors and bad practices during development as the main cause. The researcher found these credentials in apps like Pic Stitch (5 million+ downloads), Meru Cabs (5 million+ downloads), Sulekha Business (500,000+ downloads), and others.
These exposed credentials pose a significant threat to user data security, including storage buckets and databases containing sensitive information. Developers are advised to follow best practices for protecting sensitive data in mobile apps, such as using environment variables, secrets management tools, encryption, regular code reviews and audits, and automated security scanning early in the development process.
The presence of these credentials does not necessarily mean that user data has been stolen, but it indicates a vulnerability that can be exploited by hackers unless developers take action to remove this risk.
Source: https://www.bleepingcomputer.com/news/security/aws-azure-auth-keys-found-in-android-and-ios-apps-used-by-millions/