"strings" as decompiler?
Pretty sure this is a guy you don't ever want to trust with any of your financial info or PII.
Amazon's crackdown on mishandling AWS credentials has astonished one software developer, who says the cloud giant is reverse-engineering Android apps for inspection. In this blog post, Raj Bala admitted his app included his private "AWS credentials as simple strings within the app itself”, and as a result, he's received a …
Pretty sure this is a guy you don't ever want to trust with any of your financial info or PII.
Beat me to it! I love strings ... It's the first tool I reach for. Half the time that's all you need to get a gist of what a binary is up to.
Reading his blog post I'd hardly say it was lashing out but elreg's artistic license is part of it charm so meh! In fact I don't see what point he's trying to make here especially ending with
"but my guess is that I am not alone in using credentials like this in my apps..."
I suspect he's correct... It's also the reason why we're fucked in the long term.
Sounds like this is the kind of developer who has absolutely no clue whatsoever how anything actually works by way of memory, code or anything else much... However he did fess up to it and (despite the headline here) doesn't seem to be attacking AWS. You don't always have to learn from your own mistakes.
In some ways in a modern environment it could be argued that a developer shouldn't need to know everything that's going on behind the scenes, however good developers should be aware of what's going on.
Searching a delivered package is a world away from decompiling an app. In any case, just how does this developer think the likes of Google and Amazon check that apps are not doing anything untoward? Or in this case, just plain dumb.
1. I used the word decompiler because I thought a non-technical audience would be able to somewhat understand it better than referring to the Unix strings command.
2. We made a mistake using our S3 keys in the app itself and had actually corrected it sometime back.
3. I was never upset at Amazon. Saying that I was lashing out (previous article title, now edited) is a simply untrue. If The Register made any effort to contact me this would have been clear. I just thought it would be important to point out our mistake while noting that Amazon clearly inspected a binary. The latter seemed novel enough that I thought others would find it interesting as well.
4. Anonymity as a commenter on the Internet must be nice when you're impugning the character of someone you don't know.
So, totally incompetent dev is upset at Amazon for decompiling his app, which anyone can do, and discovering he just hardcoded critical security stuff as plaintext strings right in the app.
Oh yes, Amazon is clearly in the wrong here.
He never said, nor is it implied in his post, that he is upset. -1 for believing journo spin
I'm no Reg shill, but it is clearly impled that the very least that he is shocked by this, and deems it a revelation worth posting about:
Amazon Is Downloading Apps From Google Play and Inspecting Them
I got the following email from Amazon about one of our Android apps that uses our AWS credentials as simple strings in the app itself.
Clearly Amazon or someone working with them is downloading apps from the Google Play Store and decompiling and/or otherwise inspecting them.
I’ve since fixed this problem, but my guess is that I am not alone in using credentials like this in my apps.
I'd personally never make such a schoolboy error, but if I did, telling everyone about it would be the last thing on my mind!
> I'd personally never make such a schoolboy error, but if I did, telling everyone about it would be the last thing on my mind!
And I'd leave trying to bury one's mistakes to physicians and surgeons. The rest of us (and our customers/clients/public) are much better off owning up to them, which is what this bloke has done.
I just hope he has changed his ID or hiss fessing up has just alerted those who have his app already to a source.
I don't see any shock in that. He's just relating events to help others.
If there are security issues for others, then you have to be responsible.
Additionally, I've made many cockups that I'll admit to, but as I tried to say, for an error so fundamental...
Are you saying there is *nothing* embaressing that you've ever done you'd rather keep to yourself?
Also, note, the blog post wasn't even warning/advising about the error itself - that was an aside - his story was that Amazon picked it up. I'm sure if they hadn't, and he found out his error through other means, no article would have been written.
If there's anything clearly recognisable as a key ID then they wouldn't need to decompile it, just run grep on it looking for embarrassing strings. I'd say they've done him a favour if he really has put his private key in the app for anyone to find.
Where's the lashing out? Or even vaguely implying that Amazon doing what they did is even slightly objectionable? I don't see it in the linked post at all.
It's pretty dark days for education if decompiling and disassembling is truly frowned upon.
well... according to the DMCA it is...
Luckily that draconian law is only valid in the United States of Corporate Whores. It is God's chosen land or so they drill into us though. God loves corporations after all. That's why they will soon have religious beliefs over here.
Looking for strings in code goes back to Leisure Suit Larry, possibly further. Didn't everyone go look at the strings in games? Many times the "solve" was in plain text. Other times there were Easter Eggs. And this guy thinks someone decompiled his code?
I was picking apart binaries on PR1MEs in the early 80s. When caught doing it by a lecturer, I was told how they did it in the 70s ...
Now you know why Unix has the "X" permissions as well as "R".
All I can say is...
Haha, he put this private keys and secret in the app? So if you decompile the app their is a good chance you can probably change his AWS server details using API requests...lets face it a guy who would do this is hardly implementing fine grained security settings for his different accounts.
If anything AWS has done him a favour by pointing this out before someone actually took advantage of it, possibly with the loss of innocent parties account details.
That guy should not be called a developer. He doesn't know the first thing about security. Hell, you don't even need to decompile anything to find the strings. Grep on the binary will do.
A developer still bothering with amazon's dead store. I used to get nagged by Amazon about my apps being out of date compared to Google play, but the reality was that Amazon was less than 0.1% revenue for me and their restrictive rules meant special changes every release. I just removed the apps in the end and blocked as Amazon developer emails (as their support were totally useless when it came to stopping the out of date notifications)
RTFA - they're checking for credentials in apps in the Play Store - this has nothing to with where the app is sold, it's how it's using AWS that's the issue.
This is the electronic equivalent of someone saying "excuse me, you've left your front door key in the lock, so anyone could break in and steal your stuff" - and getting a rant about snooping on his private front door for their trouble.
Meanwhile, in the alternate universe, mirror-Raj Bala is angry at Amazon *not* spotting his stupid newbie mistake, leaving him with a six figure AWS bill and a long time with the police explaining why his AWS account was being used to host malware/child porn/phishing sites...
Go read the blog, elReg even linked it for you despite totally misrepresenting it. The guy makes no complaint. It's a simple statement of facts for the education of others. There is no frowning, or complaining about Amazon's actions within it.
Decompile an operating system (and document with comments) and then I'll talk to you.
"While we're sympathetic with Bala's complaint about his software being decompiled without his permission, that's not a capability restricted to Amazon."
Well, God - or your Deity of Choice - forbid that Amazon or anyone else do this in America, ere the long arms of the DMCA reach out and jail them. This gives rise to speculation about how long before this becomes a universal crime.
>how long before this becomes a universal crime.
It won't if the Euros show some backbone.
"Bala, however, has a different bone to pick, complaining that the note is evidence that “Amazon or someone working with them is downloading apps from the Google Play Store and decompiling and/or otherwise inspecting them.”"
If Amazon is doing it, you know someone in the wild is. Storing passwords in plain text is obviously an issue.
If Amazon knows AWS Key length and structure it is prety easy for them to debug WHERE the stored keys are in the app. It really does not require a genius to find those. I could most likely do it, even I do not know the AWS Key length or structure. It just takes a bit longer to hack, as I have to determine where those keys are located.
No coder in his/her right mind is storing anything in plaintext (or hex or bin) within the program files. You might do it in early 90's (as they did), but not in this millenia. As it will be hacked in seconds by using any visual hex/text editor application. It was done 20 years ago, so why not now.
Given the absolute lack of critical reading skills shown by a number of your audience (when not lack of reading comprehension skills altogether), and how this has the potential to unfairly impact the reputation of this chap, do you think a re-write or an addendum to the article would be in order, so as not to make it look as if he's complaining about Amazon hunting for AWS keys?
Those who think they know better: you just don't know what you don't know. *Every* developer worth his salt has made pretty stupid mistakes at one point or another--the good ones have owned up to, and learned from it, and moved on. The ones that have tried to hide their errors, pretend there weren't any, or blame someone else... those are the ones that really worry me.
Better Amazon than some hacker with rather more sinister intent, you clueless, bad-coding twit.