I got the following email from Amazon about one of our Android apps that used our AWS credentials as simple strings in the app itself.
Clearly Amazon or someone working with them downloaded our app from the Google Play Store and decompiled and/or otherwise inspected them perhaps using the Unix strings command.
We’ve since fixed this problem, but my guess is that I am not alone in using credentials like this in my apps.
UPDATE: It’s been stated in various places that I was “lashing out” or otherwise upset with Amazon. That’s simply not the case. I was both pointing out our mistake and simultaneously noting how interesting it was that Amazon examined a binary hosted on an app store looking for AWS credentials.
Dear AWS Customer and Android App Developer,
Your security is important to us, and we want to assist you in keeping your applications secure. We were recently made aware that an Android application published in the Google Play store contains credentials associated with your AWS account; making those credentials publicly available.
Specifically, the Android application(s) listed below, which you developed and have published in the Google Play Store, were not developed according to AWS recommended security best practices, and you have embedded your AWS Key ID (AKID) and its corresponding AWS Secret Key within the app:
AppName
This exposure of your AWS credentials within a publicly available Android application could lead to unauthorized use of AWS services, associated excessive charges for your AWS account, and potentially unauthorized access to your data or the data of your application’s users.
To prevent any unauthorized use of or access to your AWS account, we strongly encourage you to invalidate these publicly exposed AWS credentials by rotating credentials as detailed here, as soon as possible:
http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_RotatingCredentials.html
We also strongly encourage you to immediately review your AWS account for any unauthorized AWS usage, suspect running instances, or inappropriate IAM users and policies.
For your security and the security of your application’s users, we strongly recommend re-writing your app to follow our security best practices for Android application developers, as summarized in the links below. If you cannot make this change immediately, then we recommend you contact Google Play, and consider suspending publication of your app until you can take the necessary steps to prevent any unauthorized use of your AWS credentials.
As a reminder, our recommended security best practices for Android application developers who leverage AWS as part of their app strongly suggest that you do NOT distribute long-term AWS security credentials with your Android application such as those for an AWS account or for an IAM user, and instead, build an app such that it requests temporary security credentials. AWS provides tools to help you with this, such as the AWS Token Vending Machine (TVM), which uses the AWS Security Token Service to issue temporary credentials. Developers can also leverage Web Identity Federation (WIF) to create applications that authenticate users using identity providers, such as Amazon, Google, or Facebook.
For more information about AWS TVM, please read our tutorial, “Authenticating Users of AWS Mobile Applications with a Token Vending Machine”:
http://aws.amazon.com/articles/4611615499399490
For more details on WIF, please read “Creating Temporary Security Credentials for Mobile Apps Using Identity Providers”:
http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html
For more details on IAM, AWS credentials, and associated best practices, please read “IAM Best Practices”:
http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html
We hope you find this information useful and that you take appropriate actions quickly. Please do not hesitate to contact AWS Support if you require any assistance with the recommended actions above.