Amazon Web Services (AWS) is the preferred cloud computing platform for enterprises, small businesses, and even governments worldwide. From NASA to Netflix, AWS services and APIs are used by millions of companies for their infrastructure needs, hosting requirements, and to enable their websites and mobile apps. Which is why threat actors are constantly looking for ways to compromise a company’s AWS services to get their hands on sensitive information, user data, and internal networks.
In the past month, over 10,000 apps have been uploaded to CloudSEK’s BeVigil, a security search engine for mobile apps, for analysis. Out of which, we found that 40+ apps, with over 100 million downloads, have hardcoded private AWS keys. Given that there are over 8 million apps available across app stores, we estimate that there are thousands of mobile apps exposing AWS keys. With many of these apps catering to millions of users, there needs to be widespread awareness about the risks involved.