FB pixel

Digital identity provider SDK leaves hundreds of thousands of biometric records vulnerable

| Chris Burt
Categories Biometrics News  |  Fingerprint Recognition  |  Mobile Biometrics  |  Trade Notes
Digital identity provider SDK leaves hundreds of thousands of biometric records vulnerable
 

Apps with exposed AWS access tokens are exposing biometric data, according to a new blog post from cybersecurity software provider Symantec. Hundreds of thousands of fingerprint records have been found unsecured online.

The supply chain for mobile apps turns out to be vulnerable to the lowest level of diligence a software or technology provider in the chain demonstrates.

Symantec found a vulnerable third-party SDK using AI for digital identity verification which is used by several popular banking apps on iOS.

“Embedded in the SDK were cloud credentials that could place entire infrastructures at risk,” writes Symantec Security Researcher Kevin Watkins. “The credentials could expose private authentication data and keys belonging to every (emphasis Symantec’s) banking and financial app using the SDK. Furthermore, users’ biometric digital fingerprints used for authentication, along with users’ personal data (names, dates of birth, etc.), were exposed in the cloud.”

The access key exposed the infrastructure server, API source code and AI models, along with more than 300,000 fingerprint templates across five mobile banking apps that use the SDK.

This particular SDK is far from alone. Symantec found that more than three-quarters of the apps it examined contain valid AWS access tokens that can be used to get into private clouds running on AWS.

Issues identified by Symantec also include mobile apps outsourced to developers who are unable to properly secure them, and larger companies developing multiple apps across teams and winding up using cross-team vulnerable libraries.

Ultimately, Symantec recommends adding security scanning to the app development lifecycle and requiring outside developers to use mobile app report cards that scan both SDKs and frameworks for vulnerabilities and insecure behavior.

The app vulnerability discovery follows an even larger biometric data breach suffered by a Chinese access control provider and revealed this week.

Article Topics

 |   |   |   |   |   |   |   | 

Latest Biometrics News

 

Oracle introduces selfie biometrics, liveness to prevent enterprise workforce fraud

Oracle has added selfie biometrics and liveness detection to its enterprise cloud platform to help protect against workforce fraud. Biometrics…

 

HyperVerge wins IndiaAI face authentication challenge; UIDAI taps six for VC prototypes

Face biometrics is becoming ever more integrated in India. Aadhaar hit more than two billion face biometric authentications last year,…

 

Aware holds revenue steady amid shift to biometric identity solutions

Aware repositioned itself as a biometric identity solutions provider in 2025, according to CEO Ajay Amlani, and managed to keep…

 

eu-Lisa positive about EES despite three countries lagging behind deployment

Eu-Lisa has laid out its plans for 2026, promising to ensure the uninterrupted availability of the EU’s biometric border scheme,…

 

Somalia makes biometric digital ID mandatory for inter-state travel

Somalians flying domestically will have to show their biometric ID cards in a new development. The measure was introduced on…

 

AVPA, academics, advocacy groups trade letters over age assurance tech

New rifts have opened up in the debate over the safety and privacy status of age assurance technology. An open…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Continue Reading

Biometric Market Analysis and Buyer's Guides

Most Viewed This Week

Featured Company

Learn More

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events