Hard-coded AWS credentials were discovered in Android and iOS, a flaw that malicious actors could exploit to breach private databases, resulting in personal data loss and data breaches.

Broadcom Software researchers discovered 1,859 publicly available apps with hardcoded AWS credentials. The vast majority, 98%, of the apps were iOS apps.

According to the recently released report, more than three-quarters of apps had valid AWS access tokens that allowed them to access private AWS networks. Half of the apps with valid tokens provided full access to a plethora of personal files via the Amazon Simple Storage Service (Amazon S3).

These databases are frequently filled with sensitive information such as user account information, registration data, app logs, and other details.
In several cases, developers in popular banking apps used an SDK with hard-coded AWS credentials. When discovered by threat actors, the error could cost app developers dearly.

"Cloud credentials were embedded in the SDK, putting entire infrastructures at risk." According to the report's authors, "the credentials could expose private authentication data and keys belonging to every banking and financial app using the SDK."

To make matters worse, access tokens enabled access to a cloud database containing users' biometric digital fingerprint data, names, dates of birth, and other highly sensitive information.

According to the researchers, the hard-coded AWS access token was left in place so that users could access the AWS translation service.

"Instead of restricting the hard-coded access token for use with the translation cloud service, anyone with the token had full, unrestricted access to all of the B2B company's AWS cloud services," the report's authors wrote.