Threat actors could access user data stored in the Amazon cloud due to vulnerabilities in nearly 2,000 iOS and Android apps

A total of 1,859 apps available on iOS and Android contain serious vulnerabilities that pose a serious security risk. This has been detailed by Symantec, in charge of exposing the breach that would have endangered the private data of users and companies.

The vulnerability is related to access tokens to the Amazon Web Services cloud service. Apparently, 77% of the analyzed apps contained the credentials in their code, in view of possible attackers who could use them to access private services.

One of the vulnerabilities was exploited to extract data from thousands of clients of a bank

As the researchers explain, AWS access credentials are normally used to connect the resources necessary for the application to fulfill its mission, including files from configuration or authentication data of other services.

The problem is that the more than 1,800 apps analyzed had the credentials embedded directly in the code. And what is even worse: more than half of the applications used the same access credentials used by apps from other companies and developers.

To make matters worse, 47% of the identified applications contained valid AWS tokens that granted full access to all private files and Amazon Simple Storage Service (S3) buckets in the cloud. This included infrastructure files and data backups, among others.

After analyzing the vulnerability, the researchers detailed the case of a company that offers a communications platform for their clients as well as a mobile development kit, and had the access keys embedded in the SDK code. For that reason, the data of all its clients was exposed, including corporate data and financial records belonging to more than 15,000 medium and large companies.

That’s not all. In the case of five applications belonging to banking entities, made for the iOS operating system, it was possible to obtain the biometric access data of more than 300,000 clients. To date, the companies in charge of developing the affected apps have already been notified by the team of researchers. Unfortunately, Symantec has not shared a list of the applications affected by the vulnerability.