Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

5/31/2017
12:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Mobile App Back-End Servers, Databases at Risk

Mobile app developers'casual use of back-end technology like Elasticsearch without security-hardening puts unsuspecting enterprises at grave risk of exposure.

Mobile application developers are putting enterprise data at risk by failing to secure the back-end servers and databases that feed their apps with data.

New research out today from Appthority shows a wide range of data exposures to and from back-end platforms based on both relational and non-relational database technology, including Elasticsearch, Redis, MongoDB, and MySQL, that are created due to developers' lack of implementation of authentication and blocking technology between the app and back-end servers.

Appthority calls the threat surface "Hospital Gown," but the risk to the enterprise is more serious than the cheeky name implies. As the report explains, the vulnerability is caused by app developers' failure to "properly secure the backend servers with firewalls and authentication" and exposes a huge volume of records that can easily be mined or ransomed by hackers with a trivial amount of reverse engineering and scanning.

Most disconcertingly, the exposure is difficult for enterprises to control or even detect because the breach occurs on the app vendors' back-end platforms.

"Only backend platform configuration improvements and possibly code changes within the affected app will eliminate the vulnerability. If the vulnerability is exclusively on the backend, even updating the app will not solve the problem," the report explains.

Because Appthority discovered dozens of terabytes of exposed data on a wide range of platforms, for this research it focused only on one platform for deeper technical analysis. The research team says it chose Elasticsearch due to enterprise preference for the non-relational database's flexible handling big data.

As the report explains, many developers use Elasticsearch and other programs like it to quickly mine and analyze persistently stored user data. The trouble is Elasticsearch, like many new non-relational databases, comes with a default configuration that's stripped down with few security assurances in place.

"Elasticsearch does not have built in security and access control and relies on external implementation of these security features with an authentication plugin or API for access, for example," the report explains. "If the Elasticsearch server is publicly accessible on the internet without these security features implemented, the data stored there will be available to anyone who knows where to look."

This is exactly what happened earlier this year when attackers hijacked hundreds of Elasticsearch servers in a crude ransom attack that was a copycat of a wave of attacks against similarly exposed MongoDB servers. According to security researchers with ERPScan who conducted custom scanning of exposed databases on the Internet when the attack hit, they founded over 43,000 instances of exposed Elasticsearch instances at that time.

"Those numbers can be considered a minimum," says Mathieu Geli of ERPScan. "The reason lies in the fact that administrators are testing and deploying in production new promising technologies to handle big data, but they usually forget about security aspects."

But as Appthority points out, it's not just administrators who are leaving Elasticsearch instances exposed. Non-relational databases like Elasticsearch, MongoDB, and Redis are designed with a minimalist bent to afford greater speed and flexibility in how applications can access and manipulate data.

The trade-off is that it falls on the developer who leans on Elasticsearch and similar back-end technologies to build in security hardening into their applications rather than relying on the platform itself to provide such hardening. This is the crux of the exposure described by Appthority.

In over 1,000 applications with the vulnerability, it is possible for a bad actor to reverse engineer the application to obtain an Elasticsearch server IP address and listen for traffic being sent in the clear with no authentication to that IP. Of those 1,000 applications, Appthority examined 39 in-depth and witnessed over 280 million records released by these few dozen applications. These were legitimate applications, "some developed by respected vendors with well vetted security practices," the report explains.

A few startling examples include Pulse Workspace - a VPN application widely used by organizations that includes pharmaceutical providers, a US federal court and a US missle company - as well as Jacto Apps, which connect IoT data from Jacto's commercial agricultural machinery to the company's centralized servers that store data on behalf of customers.

The vulnerability explained in the report offers a compelling case for organizations to get a better handle on how mobile data is stored once it leaves user's devices and enters the cloud.

"Every new mobile app that uses a back-end platform for data storage or analysis is a potential source of risk," the report's authors explain. "Enterprises relying on software developers to properly code and configure the backend connections are exposed."

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
berryjohnson
50%
50%
berryjohnson,
User Rank: Black Belt
1/15/2020 | 5:44:52 AM
database risk
Mobile App back end server's database risk always be more secure.
myassignmenthelpdesk
50%
50%
myassignmenthelpdesk,
User Rank: Apprentice
8/29/2018 | 4:16:34 PM
My Assignment Help Desk
Hi, your blog is truly faultless and unique. Very wonderful your article, This is best article. I read really perfect your article more information one of other blog zone. So I like it. Thank so much for sharing this article with us. 
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
CVE-2021-27365
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
CVE-2021-27363
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...
CVE-2021-26294
PUBLISHED: 2021-03-07
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_...