A backend data exposure vulnerability points toward the connection between mobile apps and insecure databases, new research found.
Over 1,000 apps have the vulnerability, which Appthority researchers call HospitalGown.
Researchers analyzed 39 applications with big data leaks exposing 280 million records. These records were accessible as a result of weakly secured backends and did not require authentication of any kind to access the data, the researchers said.
“HospitalGown is a vulnerability to data exposure caused, not by any code in the app, but by the app developers’ failure to properly secure the backend (hence its name) servers with which the app communicates and where sensitive data is stored,” said Seth Hardy, Appthority director of security research. “These apps leak massive amounts of data. Our first case study, a security app, leaked about 8 GB of data, including over 16,000 customer records containing personally identifiable information (PII) such as full customer names, email addresses, phone numbers, PIN reset tokens, device information, and password lengths. In our second case study, 4 GB of data revealed 36 million records including customer, partner, and government agency records from over 10 countries, and real-time telemetry data from large agricultural machinery.”
Researchers analyzed the network traffic of over a million enterprise mobile iOS and Android apps and discovered over 21,000 open Elasticsearch servers with unprotected data connected to apps frequently found on enterprise devices.
Key finding of the research include:
• Affected apps are connecting to unsecured data stores on popular enterprise services, such as Elasticsearch and MySQL, which are leaking large amounts of sensitive data
• Apps using just one of these services revealed almost 43TB of exposed data
• Multiple affected apps leaked some form of PII, including passwords, location, travel and payment details, corporate profile data (including employees’ VPN PINs, emails, phone numbers), and retail customer data
• In multiple cases, data has already been accessed by unauthorized individuals and ransomed
• Even apps that have been removed from devices and the app stores still pose an exposure risk due to the sensitive data that remains stored on unsecured servers
“The HospitalGown vulnerability isn’t just theoretical. Hundreds of apps are leaking terabytes of data, all due to simple human error – failure to secure the backend data stores,” Hardy said. “We recommend that, where possible, enterprises refrain from using apps that access or send sensitive information, particularly if the data is not encrypted in transit and at rest. If the use of an app impacted by HospitalGown is necessary, we suggest contacting the app developer or vendor to verify that the backend server has been secured.”
Click here to register to download the report.