![]() ![]() Also, cloud providers such as Google and Amazon offer tools for keeping secrets such as API keys safe. And there are lots of useful cheat sheets on how to implement secure cryptographic key management. “Even with compiled binaries, it is easy for malicious users to extract it.”ĭata breaches happen for all kinds of reasons, but shutting the door on the use of hardcoded credentials will certainly help to raise defenses. “When a key is hard-coded, it is easily discovered,” writes the computing giant. ![]() ![]() And Microsoft is very clear in its advice to coders. Tools such as MobSF – a security framework for analyzing Android and iOS software – are useful indicators of how good, or bad, the situation is. And even simply typing the Linux command ‘strings’ (which lists all of the strings used in a program) could be enough to reveal clumsily hidden secrets. There are online guides showing how easy it is to scan code repositories such as GitHub for secrets and credentials. And if those API keys open the doors to a treasure trove of sensitive business data then victims of the breach will be in trouble. Ruggedized PC’s: what does it take to keep processors whirring when things get tough?Īt this point in the discussion, it’s worth noting that adversaries may have to do a little digging to get their hands on the baked-in secrets. And touching back on the software supply chain issue raised by Symantec, there are solutions that can be deployed here as well, such as software composition analysis integrations provided by Sonatype. If the issue lies in an upstream library, vendors may not even realize that they are using hardcoded credentials, which emphasizes the importance of running security scanning and safe coding tools during software development – Snyk is one example, and there are others too. And shared libraries add to the problem too, where access tokens have been hardcoded. Internally, the use of cross-team libraries can also present issues, when vulnerabilities haven’t been picked up. Kevin Watkins, a security researcher at the firm, notes that some companies outsource the development of their mobile apps, which can lead to vulnerable external software libraries and SDKs being unknowingly introduced. One reason for the problem’s persistence is that there are numerous ways that these API issues can arise. Worst still, hardcoded credentials is a problem that hasn’t gone away – Symantec’s team raised the same issue three years ago. Close to half (47%) of those apps contained valid AWS tokens that also gave full access to numerous, often millions, of private files via the Amazon Simple Storage Service (Amazon S3).Over three-quarters (77%) of the apps contained valid AWS access tokens allowing access to private AWS cloud services. More recently, Symantec looked into the issue and reported in September 2022 that – in a survey of 1859 publicly available apps (featuring Android and iOS operating systems) – it had found: The problem is at the app level and in the software supply chain that goes with it. AWS is one of the most popular cloud hosts on the planet, so there’s no surprise to see its keys being widely used. It’s important to note that AWS is not the story here. And given how many apps are out there, that’s a lot of keys and a lot of data that is potentially at risk of being breached. Security search engines such as CloudSEK’s BeVigil found (in April 2021) that 0.5% of mobile apps expose AWS API keys. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |