Supply chain issues lead to mobile app vulnerabilities
A new study from Symantec's Threat Hunter team looks at how upstream supply chain issues can make their way into mobile apps, making them vulnerable.
Issues identified include mobile app developers unknowingly using vulnerable external software libraries and SDKs, as well as companies outsourcing the development of their mobile apps then ending up with vulnerabilities that put them at risk.
In addition larger businesses developing multiple apps across teams may end up using cross-team vulnerable libraries in their apps.
To get an understanding of how widespread these supply chain vulnerabilities are, Symantec’s team looked at 1,859 publicly available Android and iOS apps that contained hard-coded Amazon Web Services (AWS) credentials. Interestingly this echoes the research we covered yesterday that looked at Android apps leaking hard-coded secrets.
Over three-quarters (77 percent) of the apps examined contained valid AWS access tokens allowing access to private AWS cloud services, while 47 percent of those apps contained valid AWS tokens that also gave full access to numerous, often millions, of private files via the Amazon Simple Storage Service (Amazon S3). 53 percent of the apps were using the same AWS access tokens found in other apps, yet these apps were often from different developers and companies, pointing to at a supply chain vulnerability. The AWS access tokens could in fact be traced to a shared library, third-party SDK, or other shared component used in developing the apps.
Reasons cited for using hard-coded access keys include; downloading or uploading assets and resources required for the app -- usually large media files, recordings, or images; accessing configuration files for the app and/or registering the device and collecting device information and storing it in the cloud; and accessing cloud services that require authentication, such as translation services, for example.
In order to avoid these vulnerabilities it's recommended to add security scanning solutions to the app development lifecycle and -- if using an outsourced provider -- requiring and reviewing Mobile App Report Cards, which can identify any unwanted app behaviors or vulnerabilities for every release.
You can read more on the Symantec blog.
Image Credit: romankosolapov / depositphotos.com