Uncovering the App Cloud Access Risks under Recommended IAM Security Practices
Authors: Hengtong Lu (Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China,), Yan Zhang (Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China,), Qingfeng Tang (Macau University of Science and Technology, FIE), Pengwei Zhan (Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China,)
Volume: 2025
Issue: 4
Pages: 763–776
DOI: https://doi.org/10.56553/popets-2025-0156
Abstract: The rapid development of mobile applications and cloud computing has led to the widespread adoption of cloud service platforms for mobile backend services. However, improper use of cloud credentials has frequently resulted in the leakage of application data on cloud servers. Despite security recommendations from cloud service providers, vulnerabilities persist. To assess the effectiveness of these measures, we propose a detection system to identify cloud credential leaks in mobile applications, including hard-coded credentials and those stored on servers. We analyzed 21,724 applications from Google Play and one Chinese market, revealing new attacks triggered by stolen cloud credentials. Our findings indicate that even temporary credentials recommended by cloud providers may pose security risks. We identified 893 applications using cloud credentials from the three major providers, with 945 credentials found. By analyzing these credentials, we uncovered severe vulnerabilities in 356 apps, such as personally identifiable information (PII) leakage, credential forgery, and remote code execution (RCE). These issues threaten user privacy and app security. We also evaluated developer adherence to recommended IAM best practices and provided suggestions for improving cloud credential security, highlighting issues such as improper permissions, insufficient protection, outdated versions, and regional variants.
Keywords: Mobile Apps, Cloud Service, Security Risk
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
