A disturbing new report finds that three-quarters of mobile applications analyzed contained valid Amazon Web Services Inc. access tokens that allowed access to private AWS cloud services.

The findings were detailed today by Kevin Watkins, a security researcher on Symantec’s Threat Hunter Team. The situation involved 1,859 publicly available apps on both Google LLC’s Android operating system and Apple Inc.’s iOS. Surprisingly, 98% of apps exposing AWS access tokens were iOS apps.

Of the apps with AWS credentials, 77% contained AWS access tokens allowing access to private AWS cloud services. Nearly half of those apps had valid AWS tokens giving access to millions of private files on Amazon S3.

However, the shared AWS credentials were not all linked to the developer of specific apps. More than half of apps with AWS credentials were found to be using the same tokens found in other apps, often from different app developers and companies. Watkins noted that this points to a supply chain vulnerability, with the tokens often traceable to a shared library, third-party software development kit, or other share component used in developing the apps.

As to why developers are using hard-coded access keys, the research found that reasons included downloading or uploading assets and resources required for the app, typically large media files. Accessing configuration files for the app or registering the device and collecting device information and storing it in the cloud were other reasons, along with accessing cloud services that require authentication, such as translation services.

Finally, the research found that in some cases there was no noticeable reason for the AWS tokens to appear. They were possibly in the apps because of “dead code” or they were used in testing and never removed.

“Any credentials hard-coded into apps are a bad idea,” Tony Goulding, cybersecurity evangelist at privileged access management company Delinea Inc., told SiliconANGLE. “Ideally, they’re replaced with an API call to a repo, such as a SaaS vault, so they can pull a credential or key down in real time that doesn’t persist on the device, in the app, or in a local config file.”

Goulding noted that an alternative approach to hard-coded tokens is to use the AWS STS service to provision temporary tokens to grant access to AWS resources.

“They’re similar to their long-term brethren except they have a short lifespan that’s configurable – as little as 15 minutes,” Goulding explained. “Once they expire, AWS won’t recognize them as valid, preventing an illicit API request using that token. This is better cyber hygiene that follows the principles of just-in-time access without leaving credentials standing or exposed.”

John Bambenek, principal threat hunter at cybersecurity company Netenrich Inc., said that although some measure of access control may be needed to download a shared library or resource files, making sure those credentials can download only those necessary components is essential.

“It seems some organizations have resolved their problems with wide-open S3 buckets by putting in one key for full access and then using that widely and distributing it everywhere,” Bambenek added. “Such practices do little more than ensure that I can never retire.”

Image: AWS