Mobile Security Relies on Data Security
When protecting against mobile threats, the focus is typically on three familiar categories: apps, device threats, and network threats. Apps may exhibit risky behaviors, such as accessing personal data or sending passwords without encryption, or they may be outright malicious. Devices can be compromised, intentionally or not, and external network threats can intercept data in motion leaving the device.
It’s understandable that in mobile security we focus on the device, the apps it runs, and the networks it connects to. But what happens to the data from there? Cloud computing and storage are ubiquitous, advertising networks are the default revenue model for many apps, and analytics frameworks are driving design and implementation decisions. We can’t ignore where the data goes. Like any other component of the larger system, these backend servers can introduce additional risk, often outside of a user’s view.
In our 2017 Q1 Enterprise Mobile Threat Report, we highlighted Uber’s use of third-party apps and services that put users’ data at risk. In our 2017 Q2 Enterprise Mobile Threat Report, we’re taking a step back and looking at a simpler risk, but one far more prevalent within the mobile ecosystem: tracking data leakage through backend data stores that are unsecured. This vulnerability, which we are calling HospitalGown, can expose an enterprise to Big Data exfiltration, leakage of PII (personally identifiable information), and the potential for data being stolen and ransomed.
Download the report | HospitalGown: The Backend Exposure Putting Enterprise Data at Risk
Ranking Mobile Risks
Recent high profile mobile threats, including targeted attacks, advertising fraud, and ransomware, show that there is a lot of focus on malware. These threats are real and directly impact users – but how do they affect enterprises? Most malware outbreaks are broadly targeted, and while they may steal data, perpetrate financial fraud against an individual, or encrypt personal data on a mobile device, they rarely target enterprise resources or infrastructure.
On the other hand, the media and analysts are waiting for a breach where the smoking gun can be traced back to a mobile vulnerability. Until that happens, it can be difficult to make the case that mobile security is a high priority, and many organizations are relying exclusively on security features of the device’s operating system and associated app store.
This just isn’t enough. Malware isn’t the only mobile threat; the greatest exposure from mobile devices is data leakage. Mobile apps often collect a large amount of PII that isn’t necessary for the app’s use, such as specifics about the device and the user’s physical location. This information can be used in spear phishing or watering hole attacks, or as reconnaissance for further network attacks.
Many enterprises have determined that protection from data leakage due to mobile exploits should be their highest priority—and we believe they’re right.
What is the HospitalGown Threat?
HospitalGown is a vulnerability to data exposure caused, not by any code in the app, but by the app developers’ failure to properly secure the backend (hence its name) servers with which the app communicates and where sensitive data is stored.
Why is HospitalGown a Threat?
Apps that are vulnerable to HopsitalGown are doing what they are supposed to do – and this is why they are such a threat. These apps don’t compromise the device and aren’t under any kind of network attack. They don’t need to be sideloaded, and are available from reputable sources such as Google Play and the Apple App Store. Apps with this vulnerability aren’t malware, and they likely pass all mobile app reputation tests.
And yet, these apps leak massive amounts of data. Our first case study, a security app, leaked about 8 GB of data, including over 16,000 customer records containing PII such as full customer names, email addresses, phone numbers, PIN reset tokens, device information, and password lengths. In our second case study, 4 GB of data revealed 36 million records including customer, partner, and government agency records from over 10 countries, and real-time telemetry data from large agricultural machinery.
In total, we found almost 43 TB of data exposed and 1,000 apps affected by the HospitalGown vulnerability. Looking at a subset of 39 apps, we still found 280 million records exposed, a total of about 163 GB of data. This is a staggering amount of leaked information, and in some cases represents the entirety of customer or operational data for an enterprise.
Watch the Webinar | HospitalGown: The Backend Exposure Putting Enterprise Data at Risk
Why Enterprises Should Be Concerned
Our research has identified over 1,000 apps that expose data due to HospitalGown. These apps aren’t contrived examples made for demonstration, but are real apps found in Google Play and the Apple App Store – and more importantly, on our customers’ devices. Some have tens to hundreds of thousands of downloads. Because this vulnerability is tied to the backend infrastructure, it is not trackable by app version number; in most cases, an upgrade to the app won’t address the security risks. Even worse, if an app developer closes the vulnerability, it doesn’t secure the data already leaked.
In all cases we’ve observed, this vulnerability has resulted from human error, not malicious intent. Our notification process responsibly disclosed information about the data exposure to app developers, and we worked with those that responded to close the vulnerabilities. In some cases, the issues were remediated immediately. Unfortunately, in others, we received no response and the data is still exposed.
Some apps leak data by design. Many applications rely on cloud storage or processing of user data, especially with the limited computing resources available on mobile devices. A complicated ecosystem of SDKs, third-party software libraries, analytics frameworks, and advertising networks makes it harder to fully understand what data is being collected and where it is going. This, in turn, makes it harder to secure that data.
The HospitalGown vulnerability isn’t just theoretical. Hundreds of apps are leaking terabytes of data, all due to simple human error – failure to secure the backend data stores. We recommend that, where possible, enterprises refrain from using apps that access or send sensitive information, particularly if the data is not encrypted in transit and at rest. If the use of an app impacted by HospitalGown is necessary, we suggest contacting the app developer or vendor to verify that the backend server has been secured.
Appthority customers are protected against HospitalGown. In addition to our deep dynamic mobile threat detection, we have developed a new analysis engine component which scans the backend infrastructure connected to apps, looking for unsecured data stores. Our customers should remediate apps with the HospitalGown vulnerability until the app developers secure their data.