Thousands of enterprise apps exposing data on back-end servers

Something is going badly wrong with the way the mountain of big data generated by enterprise mobile apps is being stored on back-end servers, a new analysis has shown.

In March, a company called Appthority worked out how to scan these stores in an automated way, a technique akin to turning over a large, damp stone to count the creepy-crawlies underneath.

This found terabytes of potentially exposed data sitting in the MongoDB, MySQL, CouchDB, Redis, and Couchbase database platform before honing in on the popular Elasticsearch enterprise search tool to get a handle on the scale of the problem.

The team worked back from unsecured Elasticsearch stores to trace which apps had created them, before analysing one million Android and iOS enterprise apps to see whether any were sending data to unsecured locations.

The findings take some explaining: 43TB of data on 21,000 servers generated by 1,000 mobile apps had been left in an exposed state.

It’s not clear what “exposed” means in this context but further analysis of a subset of 39 apps found them to be leaking 163GB of data containing 280m records, including a goldmine of personally identifiable information (PII) and sensitive corporate data.

Categories of apps covered sectors from enterprise mobile access, agriculture, education, travel, office productivity and, inevitably, dating and games.

In multiple cases, exposed data appears to have been found and ransomed by attackers. One victim company even failed to respond to Appthority despite the data still sitting in an exposed state when the report was published.

Hitherto, mobile app security has been about locking down devices, looking for weaknesses in the apps themselves or limiting user privileges. But unsecured back-end servers are a separate back door into data that enterprises probably know little about.

Appthority calls the issue HospitalGown, an apt metaphor inspired by the way that this item of clothing covers patients’ bodies but not their backs.

As for mitigation:

Because the risk is within the app provider’s environment, security and mobility teams tasked with providing secure mobility for their companies may find they have very few direct options for protecting against HospitalGown data exposure.

If mobile big data architectures are really failing, what will come next is a wave of data breaches and ransom extortion that people will claim to be surprised about.

Except, of course, criminals are already going after cloud databases, as evidenced by the recent wave of attacks on MongoDB servers.

If HospitalGown underlines one thing it’s that a lot of companies should fear the dawning of the EU’s General Data Protection Regulation (GDPR), which promises heavy financial retribution on companies caught up in epic fail breaches. If that comes to pass, ransom crooks might only be the start of the pain.