Today, Appthority, the global leader in enterprise mobile threat protection, published research on a newly discovered backend data exposure vulnerability, dubbed HospitalGown, that highlights the connection between mobile apps and insecure backend databases containing enterprise data. Appthority documented more than 1,000 apps with this vulnerability, and researched in detail 39 applications with big data leaks, which exposed an estimated 280 million records. These records were accessible as a result of weakly secured backends and did not require authentication of any kind to access the data.
Data leakage, especially leaks of personally identifiable information (PII), significantly increase the risk of spear phishing, brute force login, social engineering, and data ransom attacks on enterprises with employees, partners or customers that currently or have ever used the compromised apps. Appthority has reached out to the mobile application developers, app stores, and hosting providers associated with the data leaks.
“HospitalGown poses a direct risk to enterprises, opening them to an easy breach, exfiltration of sensitive data, and the costs from remediation, lawsuits, compliance infractions and loss of brand trust,” said Seth Hardy, Appthority Director of Security Research. “No amount of on-device application security can make up for relaxed security where the application stores user data. A breach at the backend takes the magnitude of the threat from being focused on a handful of devices to a much broader exposure for an entire enterprise, which could result in big data leaks or ransom of sensitive data.”
The Appthority Mobile Threat Team (MTT) discovered HospitalGown using an innovative backend scanning technique, added as a new component to the company’s leading dynamic mobile app analysis. Using this technique, the Appthority MTT analyzed the network traffic of over a million enterprise mobile iOS and Android apps and led to the discovery of over 21,000 open Elasticsearch servers with unprotected data connected to apps frequently found on enterprise devices.
“The HospitalGown threat is both real for enterprises and significant,” said Ed Amoroso, CEO of TAG Cyber. “It underscores the need for the in depth and innovative mobile threat defense solution that Appthority provides.”
Other key findings from Appthority’s Enterprise Mobile Threat Research show that:
- Affected apps are connecting to unsecured data stores on popular enterprise services, such as Elasticsearch and MySQL, which are leaking large amounts of sensitive data
- Apps using just one of these services revealed almost 43TB of exposed data
- Multiple affected apps leaked some form of PII, including passwords, location, travel and payment details, corporate profile data (including employees’ VPN PINs, emails, phone numbers), and retail customer data
- In multiple cases, data has already been accessed by unauthorized individuals and ransomed
- Even apps that have been removed from devices and the app stores still pose an exposure risk due to the sensitive data that remains stored on unsecured servers
The full enterprise mobile threat research report, entitled “HospitalGown: The Backend Exposure Putting Enterprise Data at Risk” can be downloaded here.
About Appthority Mobile Threat Research
Appthority’s Mobile Threat Team (MTT) monitors and investigates mobile risks that pose a direct threat to mobile enterprises. Their goal is to provide research that educates and informs enterprises looking to protect their people, data, devices, apps, and networks from mobile risks. The MTT is comprised of top mobile security researchers and threat analytics managers who use their experience and expertise to develop best-in-class research insights. The team prides itself on delivering unique, accurate and practical perspectives, as well as security solutions, that help our enterprise audience understand the most impactful threats and address mobile risks.
Appthority is a pioneer in enterprise mobile security and the leader in the Mobile Threat Defense category. The comprehensive Appthority Mobile Threat Protection (MTP) solution helps customers keep their data private and secure from mobile device, app and network threats. More Fortune 1000 companies trust Appthority to secure their enterprises from mobile threats because Appthority delivers best-in-class mobile threat protection and unparalleled enterprise visibility and control of mobile risks. With Appthority, security teams are informed, employees are productive and enterprise data is kept private and secure. Learn more at www.appthority.com.