Exposing AWS API Keys

From NASA to Netflix, Amazon Web Services (AWS) and APIs are used by millions of small companies, enterprises, and government companies worldwide for their infrastructure needs which had gotten its eyes on the attackers now! Yes, CloudSEK’s BeVigil, a security search engine for mobile apps, has found that 0.5% of mobile apps expose AWS API keys putting their internal networks and data at high risk. It is seen that 40+ apps, with over 100 million downloads, have hardcoded private AWS keys.

What is the critical flaw?

The API acts like a password for the mobile apps to access data stored on AWS, for practical understanding, let’s think that AWS is your apartment that has critical data, then the API key unlocks your front door. These keys could be easily discovered by malicious hackers or competitors who could use to compromise their data and networks.

Apps disclosing the API keys:

CloudSEK’s BeVigil is the world’s first security search engine for mobile apps, in April 2021. Sadly, developers are skipping this security check and they are shipped to app stores. over 10,000 apps have been uploaded to BeVigil for analysis on which 40+ apps had hardcoded private AWS keys.

Below is the list of apps whose keys are deactivated

OrganisationApp IDNo. of InstallsCategoryCountry
Adobe Photoshopfixcom.adobe.adobephotoshopfix10000000PhotographyUnited States
Adobe Compcom.adobe.comp500,000+Art & DesignUnited States
Weather Forecast & Snow Radarcom.weather.weather100000000WeatherUnited States
Wholee – Online Shopping Storecom.wholee1000000ShoppingSingapore
Oven Story Pizza in.ovenstory1000000Food & DrinkIndia
Hootsuite: com.hootsuite.droid.full5000000SocialCanada

Impacts Expected

AWS keys hardcoded in a mobile app source code can cause adverse effects as the attack can be chained and even attackers can get access to the codebase and config even.

This is an app in playstore with more than half a million downloads that have hardcoded AWS key and secret in its strings(.)xml file.

This key has access to multiple AWS services including ACM (Certificate Manager), ElasticBeanstalk, Kinesis, OpsWorks, S3. Collectively these 88 buckets contain 10,073,444 files and the data being exposed sums up to a total of 5.5 Terabytes.

Also, these source code, backup files, user reports, test artifacts, user uploads, logs, WordPress backup, user certificates, config files, credential files are found distributed across these buckets.

Reason for APK to be hardcoded?

  • Accessing static files from s3 buckets in the mobile app
  • Uploading data collected from the app user to s3 
  • Sending mails via the AWS SES service


If you happen to expose your AWS key, then quickly Revoke/Delete an access key.

Also Read

WeSteal: A Cryptocurrency-Stealing Malware that Sold in Dark Web Markets

Badloc- Microsoft Warns of Multiple Vulnerabilities that Could Affect a Wide Range of IoT and OT Devices

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.