Application Security
5/31/2017
12:45 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Mobile App Back-End Servers, Databases at Risk

Mobile app developers'casual use of back-end technology like Elasticsearch without security-hardening puts unsuspecting enterprises at grave risk of exposure.

Mobile application developers are putting enterprise data at risk by failing to secure the back-end servers and databases that feed their apps with data.

New research out today from Appthority shows a wide range of data exposures to and from back-end platforms based on both relational and non-relational database technology, including Elasticsearch, Redis, MongoDB, and MySQL, that are created due to developers' lack of implementation of authentication and blocking technology between the app and back-end servers.

Appthority calls the threat surface "Hospital Gown," but the risk to the enterprise is more serious than the cheeky name implies. As the report explains, the vulnerability is caused by app developers' failure to "properly secure the backend servers with firewalls and authentication" and exposes a huge volume of records that can easily be mined or ransomed by hackers with a trivial amount of reverse engineering and scanning.

Most disconcertingly, the exposure is difficult for enterprises to control or even detect because the breach occurs on the app vendors' back-end platforms.

"Only backend platform configuration improvements and possibly code changes within the affected app will eliminate the vulnerability. If the vulnerability is exclusively on the backend, even updating the app will not solve the problem," the report explains.

Because Appthority discovered dozens of terabytes of exposed data on a wide range of platforms, for this research it focused only on one platform for deeper technical analysis. The research team says it chose Elasticsearch due to enterprise preference for the non-relational database's flexible handling big data.

As the report explains, many developers use Elasticsearch and other programs like it to quickly mine and analyze persistently stored user data. The trouble is Elasticsearch, like many new non-relational databases, comes with a default configuration that's stripped down with few security assurances in place.

"Elasticsearch does not have built in security and access control and relies on external implementation of these security features with an authentication plugin or API for access, for example," the report explains. "If the Elasticsearch server is publicly accessible on the internet without these security features implemented, the data stored there will be available to anyone who knows where to look."

This is exactly what happened earlier this year when attackers hijacked hundreds of Elasticsearch servers in a crude ransom attack that was a copycat of a wave of attacks against similarly exposed MongoDB servers. According to security researchers with ERPScan who conducted custom scanning of exposed databases on the Internet when the attack hit, they founded over 43,000 instances of exposed Elasticsearch instances at that time.

"Those numbers can be considered a minimum," says Mathieu Geli of ERPScan. "The reason lies in the fact that administrators are testing and deploying in production new promising technologies to handle big data, but they usually forget about security aspects."

But as Appthority points out, it's not just administrators who are leaving Elasticsearch instances exposed. Non-relational databases like Elasticsearch, MongoDB, and Redis are designed with a minimalist bent to afford greater speed and flexibility in how applications can access and manipulate data.

The trade-off is that it falls on the developer who leans on Elasticsearch and similar back-end technologies to build in security hardening into their applications rather than relying on the platform itself to provide such hardening. This is the crux of the exposure described by Appthority.

In over 1,000 applications with the vulnerability, it is possible for a bad actor to reverse engineer the application to obtain an Elasticsearch server IP address and listen for traffic being sent in the clear with no authentication to that IP. Of those 1,000 applications, Appthority examined 39 in-depth and witnessed over 280 million records released by these few dozen applications. These were legitimate applications, "some developed by respected vendors with well vetted security practices," the report explains.

A few startling examples include Pulse Workspace - a VPN application widely used by organizations that includes pharmaceutical providers, a US federal court and a US missle company - as well as Jacto Apps, which connect IoT data from Jacto's commercial agricultural machinery to the company's centralized servers that store data on behalf of customers.

The vulnerability explained in the report offers a compelling case for organizations to get a better handle on how mobile data is stored once it leaves user's devices and enters the cloud.

"Every new mobile app that uses a back-end platform for data storage or analysis is a potential source of risk," the report's authors explain. "Enterprises relying on software developers to properly code and configure the backend connections are exposed."

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.