Following the news that:
Digital identity provider SDK leaves hundreds of thousands of biometric records vulnerable
Following the news that:
Digital identity provider SDK leaves hundreds of thousands of biometric records vulnerable
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
The stats behind these findings really are truly alarming and point to an urgent need for change in coding practices by app developers. Even in apps within regulated marketplaces such as banking and gambling the use of poorly maintained shared libraries, is leaving literally millions of users’ data vulnerable. The large majority of these apps (77%) had hard-coded access tokens to private AWS services and of those, 47% gave access to large private files within S3 (AWS’s storage).
By far the most alarming element is that many of these apps used the same Digital Identity SDK which contained cloud credentials that could place entire infrastructures at risk as well as compromising the irrevocable biometric data of end-users alongside their respective names, dates of births etc.
For the 300,000 biometric digital fingerprints that were leaked across five mobile banking apps using the SDK there is no going back. Similarly, 16 different online gambling apps using the vulnerable library exposed full infrastructure and cloud services with full read/write ‘master’ account credentials.
App developers cannot expect publicly available shared libraries to provide secure and well-maintained solutions for complex authentication requirements and they take colossal risks of brand and business should they do so.