How safe are the countless mobile apps that a smartphone user so whimsically installs?
The findings based on an analysis of 10,000 popular apps conducted last month by CloudSEK, a Bengaluru-based Artificial Intelligence-driven Digital Risk Management Enterprise, are not so reassuring.
The analysis done with the help of BeVigil, a free security search engine tool developed for assessing threat perception of mobile apps, found that over 40 apps with a collective download of more than 100 million were highly vulnerable endangering their internal networks and data, thanks to hardcoded AWS (Amazon Web Services) keys.
AWS, Amazon’s cloud computing system used by businesses and even governments worldwide, offers compute power, database storage and allows users to interact with their infrastructure via APIs (Application Programming Interface).
“The API acts like a password for the app to access data stored on AWS. To put it simply, if AWS is your apartment, where you store critical data and files, the API key unlocks your front door. While API makes it easy for developers to build apps that communicate with multiple sources and efficiently manage data flowing to and from the apps, hardcoding API keys into apps is akin to locking your house but leaving the key in an envelope titled do not open,” said Rahul Sasi, founder, CloudSEK.
These keys could be easily discovered by malicious hackers or competitors who could use it to compromise their data and networks. Recent high-profile hacks, such as the Imperva breach, have leveraged this misconfiguration to compromise the cloud infrastructure.
AWS has a documentation for accessing resources with secured keys. The fundamental security practice is not to hardcode them anywhere. If inadvertently exposed, the AWS Access Key should be either revoked or deleted.
“While public API keys, such as that of Facebook and LinkedIn, are intentionally made available for other apps to verify user identities, most apps are supposed to use private keys that need to be kept secure. However, in the breakneck pace at which new versions of apps are released, it is not uncommon for developers to overlook exposed API keys,” said Shahrukh Ahmad, chief Technical Officer, BeVigil.
Despite having over eight million apps to choose from, users, app developers, and security researchers don’t have a mechanism to determine the security posture of mobile apps. This leads to the user data being breached and sold on underground forums to the highest bidder, he said.
“We believe that a cost-effective tool like BeVigil would encourage app developers to vet their apps for identifying vulnerabilities and address them before their launch,” said Mr. Sasi. The scan reports generated by BeVigil are made available to the global CloudSEK community.
