Researchers have identified 1,859 apps across Android and iOS containing hard-coded Amazon Web Services (AWS) credentials, posing a major security risk.
Interestingly, a little more than 50% of the apps were found using the same AWS tokens found in other apps maintained by other developers and companies, highlighting a supply chain issue with serious implications.
These credentials are typically used for downloading appropriate resources necessary for the app’s functions as well as accessing configuration files and authenticating to other cloud services.
To make matters worse, 47% of the identified apps contained valid AWS tokens that granted complete access to all private files and Amazon Simple Storage Service (S3) buckets in the cloud. This included infrastructure files, and data backups, among others.
The development comes as researchers from CloudSEK revealed that 3,207 mobile apps are exposing Twitter API keys in the clear, some of which could be utilized to gain unauthorized access to Twitter accounts associated with them.