Mobile apps for enterprise services that manage data are leaving massive troves of user information exposed and unprotected on backend servers, according to a group of security researchers.
Experts at Appthority, a mobile security firm, published a report that showed 43 terabytes of data from enterprise apps left exposed. The information was spread across 21,000 servers and linked to more than 1,000 mobile apps.
Appthority researchers spotted the exposed sets of data by leveraging Elasticsearch, a popular enterprise search engine that makes information from a number of database sources searchable and easier to sort through.
The firm developed an automated system for scanning Elasticsearch to find unsecured stores of data. They discovered information in a variety of database platforms—including MongoDB, MySQL, CouchDB, Redis and Couchbase—and traced the origins of those unprotected servers to find where the datasets were created.
Appthority then analyzed nearly one million enterprise apps designed for Android and iOS to find out which apps transferred data to unsecured locations. The reverse engineering led the researchers to discover a considerable number of enterprise apps have not taken proper steps to protect user data.
Analyzing the full breadth of the leaks would be a Herculean task, but even a small sample of the findings reveal the risks associated with the unprotected databases—a problem Appthority refers to as “HospitalGown,” as the back end is left exposed.
According to Appthority’s findings, an analysis of a subset of 39 apps found to be transferring data to unsecured databases revealed 280 million user records, much of which contained personally identifiable information and sensitive corporate documentation.
The risk of such exposure is not only dangerous for the companies hosting the servers but for those who trust their information to said companies. Exposed data has made some people the target of ransoms and victims of hacks.
Earlier this week, a group of hackers released 25,000 private photos and personal information from clients of a plastic surgery practice after the business declined to pay a ransom. The leak exposed intensely personal images—in some cases, nude photos—and information including passports and social security numbers from private citizens and celebrities.
There are few industries that are not affected by the HospitalGown problem. The report found apps in sectors including enterprise mobile access, agriculture, travel, productivity, education, dating and games are all guilty of failing to secure backend servers.
“Every new mobile app that uses a back-end platform for data storage or analysis is a potential source of risk. Enterprises relying on software developers to properly code and configure the backend connections are exposed,” Appthority’s report concludes.
The threat of HospitalGown presents a number of unique problems, both for enterprise app providers and for their users, because it is not the typical database breach that requires forceful entry or stolen credentials to complete. It is an issue of the infrastructure that many of the apps are built on and relied upon by companies. It is a fix that will require a dedicated effort from a number of parties willing to take data security more seriously.