Se ha denunciado esta presentación.
1 INTRODUCTION...............................................................................................................
0
500000
1000000
1500000
2010 2011 2012 2013 2014
TOTALNUMBEROFAPPS
YEAR
TOTAL NUMBER OF APPS PER MARKET
Apple Store
Googl...
# Fill in your AWS Access Key ID and Secret Access Key
# http://aws.amazon.com/security-credentials
#!!!!!!!!!!!!!!!!!!!!!...








7%
93%
Availability of the analyzed apps in the markets
Not available Available
58,7
41,3
Different AWS access key f...




0
2
4
6
8
10
12
14
16
Sharing of access keys for different apps
22
15
Total number of operational
access keys
Cred...
The information disclosed in this document is the property of Telefónica Digital Identity & Privacy, S.L.U. (“TDI&P”) and/...
Research on the overexposure of Amazon credentials in mobile apps
Research on the overexposure of Amazon credentials in mobile apps
Próxima SlideShare
Cargando en…5
×

Research on the overexposure of Amazon credentials in mobile apps

1.490 visualizaciones

Publicado el

The development of mobile applications that interact with common services in mobility environments such as Amazon Simple Storage Service (S3), Amazon Simple Notification Service (SNS), Amazon Simple Queue Service (SQS) or Amazon Mobile Analytics is becoming more frequent.
To interact with these services, apps need to communicate with them and authenticate with some kind of credential (usually based on tokens). We have identified unsafe programming practices in the form of poor management of login credentials, which could allow an attacker to modify the behavior of the affected apps.

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Research on the overexposure of Amazon credentials in mobile apps

  1. 1. 1 INTRODUCTION.......................................................................................................................................3 1.1 IDENTITY MANAGEMENT IN AMAZON AWS.....................................................................................................3 2 IDENTIFYING THE PROBLEM ....................................................................................................................4 3 DATA ANALYSIS.......................................................................................................................................6 4 ATTACK SCENARIOS AND HYPOTHESIS ....................................................................................................8 5 CONCLUSIONS AND RECOMMENDATIONS ..............................................................................................8
  2. 2. 0 500000 1000000 1500000 2010 2011 2012 2013 2014 TOTALNUMBEROFAPPS YEAR TOTAL NUMBER OF APPS PER MARKET Apple Store Google Play Amazon Appstore
  3. 3. # Fill in your AWS Access Key ID and Secret Access Key # http://aws.amazon.com/security-credentials #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # This sample App is for demonstration purposes only. # It is not secure to embed your credentials into source code. #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! accessKey=AKIAJZUGBMWUTJOS2A secretKey=0OvgWIKJ3EnsmSSpw1HPzV3VgWA643LCBTfPHW+
  4. 4.     
  5. 5.    7% 93% Availability of the analyzed apps in the markets Not available Available 58,7 41,3 Different AWS access key found Operational (37) Not operational (26)
  6. 6.     0 2 4 6 8 10 12 14 16 Sharing of access keys for different apps 22 15 Total number of operational access keys Credentials allowing full control Credential allowing write
  7. 7. The information disclosed in this document is the property of Telefónica Digital Identity & Privacy, S.L.U. (“TDI&P”) and/or any other entity within Telefónica Group and/or its licensors. TDI&P and/or any Telefonica Group entity or TDI&P’S licensors reserve all patent, copyright and other proprietary rights to this document, including all design, manufacturing, reproduction, use and sales rights thereto, except to the extent said rights are expressly granted to others. The information is this document is subject to change at any time, without notice. Neither the whole nor any part of the information contained herein may be copied, distributed, adapted or reproduced in any material form except with the prior written consent of TDI&P. This document is intended only to assist the reader in the use of the product or service described in the document. In consideration of receipt of this document, the recipient agrees to use such information for its own use and not for other use. TDI&P shall not be liable for any loss or damage arising out from the use of the any information in this document or any error or omission in such information or any incorrect use of the product or service. The use of the product or service described in this document are regulated in accordance with the terms and conditions accepted by the reader. TDI&P and its trademarks (or any other trademarks owned by Telefonica Group) are registered service marks. All rights reserved.

×