"strings" as decompiler?
Pretty sure this is a guy you don't ever want to trust with any of your financial info or PII.
Amazon's crackdown on mishandling AWS credentials has astonished one software developer, who says the cloud giant is reverse-engineering Android apps for inspection. In this blog post, Raj Bala admitted his app included his private "AWS credentials as simple strings within the app itself”, and as a result, he's received a …
Beat me to it! I love strings ... It's the first tool I reach for. Half the time that's all you need to get a gist of what a binary is up to.
Reading his blog post I'd hardly say it was lashing out but elreg's artistic license is part of it charm so meh! In fact I don't see what point he's trying to make here especially ending with
"but my guess is that I am not alone in using credentials like this in my apps..."
I suspect he's correct... It's also the reason why we're fucked in the long term.
Sounds like this is the kind of developer who has absolutely no clue whatsoever how anything actually works by way of memory, code or anything else much... However he did fess up to it and (despite the headline here) doesn't seem to be attacking AWS. You don't always have to learn from your own mistakes.
In some ways in a modern environment it could be argued that a developer shouldn't need to know everything that's going on behind the scenes, however good developers should be aware of what's going on.
Searching a delivered package is a world away from decompiling an app. In any case, just how does this developer think the likes of Google and Amazon check that apps are not doing anything untoward? Or in this case, just plain dumb.
1. I used the word decompiler because I thought a non-technical audience would be able to somewhat understand it better than referring to the Unix strings command.
2. We made a mistake using our S3 keys in the app itself and had actually corrected it sometime back.
3. I was never upset at Amazon. Saying that I was lashing out (previous article title, now edited) is a simply untrue. If The Register made any effort to contact me this would have been clear. I just thought it would be important to point out our mistake while noting that Amazon clearly inspected a binary. The latter seemed novel enough that I thought others would find it interesting as well.
4. Anonymity as a commenter on the Internet must be nice when you're impugning the character of someone you don't know.
I'm no Reg shill, but it is clearly impled that the very least that he is shocked by this, and deems it a revelation worth posting about:
Amazon Is Downloading Apps From Google Play and Inspecting Them
I got the following email from Amazon about one of our Android apps that uses our AWS credentials as simple strings in the app itself.
Clearly Amazon or someone working with them is downloading apps from the Google Play Store and decompiling and/or otherwise inspecting them.
I’ve since fixed this problem, but my guess is that I am not alone in using credentials like this in my apps.
I'd personally never make such a schoolboy error, but if I did, telling everyone about it would be the last thing on my mind!
> I'd personally never make such a schoolboy error, but if I did, telling everyone about it would be the last thing on my mind!
And I'd leave trying to bury one's mistakes to physicians and surgeons. The rest of us (and our customers/clients/public) are much better off owning up to them, which is what this bloke has done.
If there are security issues for others, then you have to be responsible.
Additionally, I've made many cockups that I'll admit to, but as I tried to say, for an error so fundamental...
Are you saying there is *nothing* embaressing that you've ever done you'd rather keep to yourself?
Also, note, the blog post wasn't even warning/advising about the error itself - that was an aside - his story was that Amazon picked it up. I'm sure if they hadn't, and he found out his error through other means, no article would have been written.
Haha, he put this private keys and secret in the app? So if you decompile the app their is a good chance you can probably change his AWS server details using API requests...lets face it a guy who would do this is hardly implementing fine grained security settings for his different accounts.
If anything AWS has done him a favour by pointing this out before someone actually took advantage of it, possibly with the loss of innocent parties account details.
A developer still bothering with amazon's dead store. I used to get nagged by Amazon about my apps being out of date compared to Google play, but the reality was that Amazon was less than 0.1% revenue for me and their restrictive rules meant special changes every release. I just removed the apps in the end and blocked as Amazon developer emails (as their support were totally useless when it came to stopping the out of date notifications)
This is the electronic equivalent of someone saying "excuse me, you've left your front door key in the lock, so anyone could break in and steal your stuff" - and getting a rant about snooping on his private front door for their trouble.
Meanwhile, in the alternate universe, mirror-Raj Bala is angry at Amazon *not* spotting his stupid newbie mistake, leaving him with a six figure AWS bill and a long time with the police explaining why his AWS account was being used to host malware/child porn/phishing sites...
"While we're sympathetic with Bala's complaint about his software being decompiled without his permission, that's not a capability restricted to Amazon."
Well, God - or your Deity of Choice - forbid that Amazon or anyone else do this in America, ere the long arms of the DMCA reach out and jail them. This gives rise to speculation about how long before this becomes a universal crime.
"Bala, however, has a different bone to pick, complaining that the note is evidence that “Amazon or someone working with them is downloading apps from the Google Play Store and decompiling and/or otherwise inspecting them.”"
If Amazon is doing it, you know someone in the wild is. Storing passwords in plain text is obviously an issue.
If Amazon knows AWS Key length and structure it is prety easy for them to debug WHERE the stored keys are in the app. It really does not require a genius to find those. I could most likely do it, even I do not know the AWS Key length or structure. It just takes a bit longer to hack, as I have to determine where those keys are located.
No coder in his/her right mind is storing anything in plaintext (or hex or bin) within the program files. You might do it in early 90's (as they did), but not in this millenia. As it will be hacked in seconds by using any visual hex/text editor application. It was done 20 years ago, so why not now.
Given the absolute lack of critical reading skills shown by a number of your audience (when not lack of reading comprehension skills altogether), and how this has the potential to unfairly impact the reputation of this chap, do you think a re-write or an addendum to the article would be in order, so as not to make it look as if he's complaining about Amazon hunting for AWS keys?
Those who think they know better: you just don't know what you don't know. *Every* developer worth his salt has made pretty stupid mistakes at one point or another--the good ones have owned up to, and learned from it, and moved on. The ones that have tried to hide their errors, pretend there weren't any, or blame someone else... those are the ones that really worry me.
Biting the hand that feeds IT © 1998–2020