As with any piece of software, mobile apps can create an array of security issues and exposures, from rogue programs that are intentionally malicious to apps that contain an obscure but significant flaw. Now, new research is shedding light on systemic oversights in mobile app cloud infrastructure that are all too common and create the risk that users’ data could leak where it shouldn’t or be compromised.

Researchers from Broadcom’s Symantec Threat Hunter team published findings on Thursday about the prevalence of hard-coded authentication credentials lurking in the cloud services that underlie hundreds of mainstream apps. These login credentials are often meant to give the app access to a single file or service, like a mechanism for an app to display public images from a company’s website or run text through a translation service at a user’s request. But in practice, the researchers found, these same credentials often grant access to all files stored in a cloud service, like company data, database backups, and system control components. And when multiple apps have been created by the same third-party development firm or incorporate the same publicly available software development kits (SDKs), these static authentication tokens may even grant access to the infrastructure and user data of multiple, unconnected apps.

All of this means that if an attacker discovered these access tokens, they could potentially unlock massive and disparate troves of sensitive data all by finding one key under one doormat.

“The cloud is still kind of a new frontier. And sometimes when you hear about the practices being used, you realize that a lot of organizations may not be where they are with security on other fronts,” says Symantec’s Dick O’Brien. “It’s hard to say whether it’s people cutting corners or whether it’s just an ignorance of what you’re exposing by putting those credentials out there, but it’s certainly obvious that data isn’t being ring-fenced anywhere near the way it should be.”

The researchers found 1,859 publicly available apps on both Android and iOS that contained hard-coded Amazon Web Services credentials. The vast majority were iOS apps, a discrepancy Symantec says it has tracked for years but hasn’t fully explained. The credentials present in more than three-quarters of the apps granted access to private cloud services, and nearly half of those additionally gave access to private files. Fifty-three percent of the apps contained access tokens that were also found in other, often totally unrelated, apps.

“Initially it was very surprising, but this is a systemic thing,” O’Brien says. “People need to do a complete audit of what they’re using and realize that there are multiple layers there. The practice of implementing hard coded access keys is not great. Temporary credentials that expire after a short period of time are probably the way to go, and also there needs to be greater awareness that you need to silo information.” 

Symantec says it has notified the developers of the apps where it sees the most pressing issues and hopes to raise awareness about how insecure development practices and shared resources can create exposures without careful consideration and segmentation. 

In one case, the researchers realized that several mainstream iOS banking apps were all using the same third-party AI digital identity software development kit that exposed cloud credentials of the shared service. While none of the banking apps themselves created the SDK, the credentials exposed its server structure and infrastructure blueprints, source code, and the AI models underlying the identity service. And more than 300,000 biometric fingerprint files from users of five of the mobile banking apps were leaking and potentially exposed.

In another case, the researchers noticed what it calls a large hospitality and entertainment company working with a technology company on sports betting apps. In total, hard-coded credentials gave infrastructure access to 16 online gambling apps, exposing their cloud services and even granting root access to take control of this backend platform. 

Symantec’s O’Brien emphasizes that while the company isn’t naming the impacted apps, it hopes the findings will raise awareness about these common pitfalls and their potentially outsize impact on users. “The things we found—it illustrates the significance of what we’re dealing with here,” he says.

Advantages of local domestic helper.