Supply chain issues lead to mobile app vulnerabilities
A new study from Symantec’s Threat Hunter team examines how upstream supply chain issues can end up in mobile apps, making them vulnerable.
Issues identified include mobile app developers unknowingly using vulnerable external software libraries and SDKs, as well as companies outsourcing their mobile app development, ending up with vulnerabilities that put them at risk.
Additionally, large companies developing multiple applications within teams may end up using vulnerable cross-team libraries in their applications.
To understand the scope of these supply chain vulnerabilities, the Symantec team examined 1,859 publicly available Android and iOS apps that contained hard-coded Amazon Web Services (AWS) credentials. Interestingly, this echoes the research we covered yesterday that looked at Android apps that leak hard-coded secrets.
More than three-quarters (77%) of the applications examined contained valid AWS access tokens allowing access to private AWS cloud services, while 47% of these applications contained valid AWS tokens which also granted full access to many , often millions, of private files through Amazon’s simple storage service (Amazon S3). 53% of applications used the same AWS access tokens found in other applications, but these applications were often from different developers and companies, indicating a supply chain vulnerability. AWS access tokens could actually be traced to a shared library, third-party SDK, or other shared component used in application development.
Reasons cited for using hard-coded access keys include; download or upload the elements and resources necessary for the application, generally large multimedia files, recordings or images; access application configuration files and/or register the device and collect device information and store it in the cloud; and access cloud services that require authentication, such as translation services, for example.
In order to avoid these vulnerabilities, it is recommended to add security scanning solutions to the application development cycle and, if using an external vendor, to require and review mobile application, which can identify any unwanted behavior or vulnerability of the application for each version.
You can find out more about the Symantec Blog.