Five unnamed mobile banking apps using the same third-party AI-based digital identity SDK may have leaked over 300,000 biometric digital fingerprints, according to a report (opens in new tab) by researchers at Symantec.
Outsourcing the digital identity and authentication component of an app is a common development pattern according to researchers, as the complexities of providing different forms of authentication can be challenging for app developers.
But the approach failed dramatically in this instance, embedded in the banking apps SDK were Amazon Web Services (AWS) cloud credentials that could allegedly expose the private authentication data and keys belonging to “every banking and financial app” using the SDK.
What is the full extent of vulnerability?
In addition, using the vulnerable SDK researchers were able to find the users’ biometric digital fingerprints that were used for authentication in the cloud, alongside personal data such as names and dates of birth.
What’s more, if Synametic’s claims are to be believed researchers were also apparently able to unearth the API source code and AI models used for the entire underlying operation.
But the issue goes deeper than five banking apps.
The researchers said over 1,859 publicly available apps, including both Android and iOS, had AWS credentials contained within them.
Although Android devs aren’t entirely blameless, the research found over 97% of these vulnerable apps were iOS-based.
Out of these apps, over three-quarters (77%) of them contained valid AWS access tokens allowing access to private AWS cloud services and 47% contained valid AWS tokens that also gave full access to numerous, often millions, of private files via the Amazon Simple Storage Service (Amazon S3).
How can I prevent this?
The researchers did provide some tips about how to mitigate these types of vulnerabilities.
These included adding security scanning solutions to the app development lifecycle and, if using an outsourced provider, requiring and reviewing mobile app “report cards”, which they said can identify any unwanted app behaviors or vulnerabilities for every release of a mobile app.
As an app developer, the researchers suggested looking for a report card that both scans SDKs and frameworks in your application and identifies the source of any vulnerabilities or unwanted behaviors.
