Application security isn’t just a developer’s problem. IT staff and the security team also have roles to play in setting up the infrastructure and implementing security controls. When IT administrators forget the security basics for the app’s back-end servers, they undermine the developer’s good security decisions.
Researchers at mobile security company Appthority recently analyzed apps installed on enterprise devices (including both mobile devices issued and managed by enterprise IT as well as personal devices in a BYOD scenario) and found more than 1,000 apps where data was being exposed because the apps’ backend servers lacked security controls. The servers, which hosted databases for storing user data and analytic tools to mine and analyze collected data, didn’t have firewalls, did not require authentication, and was publicly accessible from the internet.
Appthority found that those 1,000 apps were "connected to over 21,000 open Elasticsearch servers, revealing almost 43 TB of exposed data,” said Seth Hardy, Appthority’s director of security research.
Exposed data included personally identifiable information (PII) including passwords, location, travel and payment details, corporate profile data such as emails and phone numbers, and retail customer data. These are the types of information that can be used for fraud and credential-based attacks, or to launch secondary attacks such as phishing. The data exposure didn’t end if the user removed the app from his or her device, since the data was still on the leaky server and remained “at risk of being copied or downloaded by unauthorized parties,” the researchers wrote in their analysis. The data was accessed by unauthorized parties “in multiple cases” and ransomed.
Like many of the new non-relational databases, Elasticsearch doesn’t have built-in security and access control, and it is best practice to implement security externally via authentication plugins and secure APIs. Anyone who stumbles upon the Elasticsearch server, either by scanning the internet or discovering the server IP address through other means, would have full access to the data stored if security features had not been turned on. While Appthority focused on Elasticsearch because it is widely used for large enterprise data sets, multiple back-end platforms had the same problem, including Redis, MongoDB, MySQL, CouchDB and CouchBase.
Developers need to make sure they are baking security right into the application code and protecting how the app handles the data, but as Appthority’s research shows, they also need to know how the back-end servers and data stores are being configured. The security best practices for these systems are well-documented, but someone needs to be checking and verifying that these controls are implemented so that the data remains protected.
“No amount of on-device application security can make up for relaxed security where the application stores user data,” said Hardy.
Appthority dubbed the problem “HospitalGown”— because like hospital gowns, the front end is covered but since the issue lay in the application infrastructure, the back end is not. HospitalGown is not a specific vulnerability in the mobile operating system, a type of weaponized app that could lead to data compromise if installed on the mobile device, or a flaw in the app’s code. Instead, the problem exists if the app’s backend server is not configured securely with firewalls or restricting access only to authenticated users. Android and iOS apps are equally at risk.
Appthority highlighted two apps to illustrate common examples of HospitalGown. Pulse Workspace, a security access app used by enterprises to let employees securely access corporate network and applications, used a secure API to protect data being sent to the Elasticsearch server. However, the Elasticsearch data store had no firewall and lacked authentication. Researchers were able to view customer names and contact information, VPN PIN reset tokens and certificates, passcode lengths, and device information such as IMEI, OS version, and carrier data. Pulse Secure fixed the problem after being notified by Appthority.
The majority of the apps analyzed by Appthority were similar to Pulse Workspace, where the app handled the data securely but the server was left wide open, Hardy said.
Agricultural machinery manufacturer Jacto had three enterprise apps — Jacto Smart Selector, OtmisNET, and OtmiNET-Homologation — that are used to monitor operational data about equipment and manage various device parameters. The data was not securely transmitted to the back-end servers, letting attackers view everything being sent, including the server IP addresses. Researchers could see customer and partner information, PII, and operations data associated with individual equipment such as fuel consumption, as well as “track the tractors in real-time,” the report said. Appthority also found ransom notes in Jacto’s database.
Earlier this year, attackers dumped the contents of the databases on thousands of poorly protected MongoDB and Elasticsearch servers. At the time, Rapid7 looked at the Project Sonar data and found 56,000 exposed MongoDB servers, 18,000 exposed Elasticsearch servers, and 4,500 exposed CouchDB servers. Of those servers, half of the MongoDB systems, 58 percent of Elasticsearch systems, and 10 percent of CouchDB systems had been ransomed. Appthority’s research emphasizes that these servers, when attached to specific applications, put enterprises at risk for data breaches.
“Addressing HospitalGown is a critical security measure to take to ensure your enterprise is not low hanging fruit for an easy hack or extensive breach using leaked Data,” Appthority wrote in the report.
Lest you think HospitalGown is limited to free and knock-off apps, affected apps were found in multiple categories, including agricultural operations, content management, dating, education, enterprise mobile security and access management, games, news, productivity and travel. Appthority found problems in enterprise and personal apps, “some developed by respected vendors with well-vetted security practices.” It goes to show that anyone can make mistakes, and the consequences can be pretty dire.