Appthority Finds Mobile Apps’ Data Caches Exposed on Servers

[Corrected 6/7/17, 5:30 pm ET. See below.] While other cybersecurity companies were tracking the WannaCry ransomware that invaded victims’ computers in recent months, researchers at San Francisco-based Appthority were finding holes in major data storage sites where mobile apps and their business clients send their information for safekeeping.

Appthority found that many mobile app developers—though they may secure entry into their apps with measures such as log-in procedures—don’t take similar steps to prevent a hacker from raiding the remote servers where reams of user data are stored and analyzed.

The cybersecurity firm found that data caches held by more than 1,000 mobile apps, often used by businesses, were open to anyone with an Internet connection—no hacking required.

“You don’t have to compromise a device,” Appthority founder and president Domingo Guerra says.

Appthority estimates that 43 terabytes of data were exposed before it notified the app developers, app stores, and data storage providers involved. That data included personal identifying information that could be used by cybercriminals to trick business employees into clicking on false links, thus opening their company networks to malware. The vulnerable data, collected by mobile apps, originated from a wide range of businesses and organizations, including a large U.S. telecom company, a medical service provider, and an IT service for hedge fund management companies, according to an “Enterprise Mobile Threat Research” report published by Appthority on Wednesday.

Some of the unsecured apps were on the lists approved by businesses for employee use, Guerra says. “Some of them were mandatory,” he says.

Appthority mobile threat protection researchers made these discoveries by developing a new technique to scan for vulnerabilities in servers operated by cloud storage and data management companies. They found mobile app data sets unsecured on servers operated by Elasticsearch, Redis, MongoDB, MySQL, and CouchDB. [An earlier version of this story included a sixth host provider in the preceding list. Appthority informed Xconomy on June 7, 2017 that it had mistakenly named Couchbase in its report. We regret the error.]

“It’s not the fault of the host providers,” Guerra says. Such companies inform app developers of recommended practices to protect their data from being stolen, he says.

While app creators may do a good job on the front end by protecting access to the app itself, Guerra says, they seem to forget about the back end—the ultimate resting place for the data on external servers. Appthority named the vulnerability it discovered “HospitalGown,” for those annoying tie-on gowns with a big gap at the back.

To limit access to data stored on outside servers, app developers should use measures such as user name and password log-ins, encryption, and “obfuscated URLs that are not easy to find” for server IP addresses, Guerra says.

Why don’t app developers do this? Guerra says some may be creating their first software products, and lack skills or resources. Others may rush out apps because competition is fierce, and users are demanding updates more often, he says.

The dangerous thing about the HospitalGown vulnerability is that none of the companies responsible for vetting apps and keeping data safe on servers would be aware the data had been breached, unless a hacker reveals it by demanding a ransom, Guerra says.

“The app developer, the user, the host provider, the app store wouldn’t know,” Guerra says.

Trending on Xconomy