Application Security

5/31/2017
12:45 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Mobile App Back-End Servers, Databases at Risk

Mobile app developers'casual use of back-end technology like Elasticsearch without security-hardening puts unsuspecting enterprises at grave risk of exposure.

Mobile application developers are putting enterprise data at risk by failing to secure the back-end servers and databases that feed their apps with data.

New research out today from Appthority shows a wide range of data exposures to and from back-end platforms based on both relational and non-relational database technology, including Elasticsearch, Redis, MongoDB, and MySQL, that are created due to developers' lack of implementation of authentication and blocking technology between the app and back-end servers.

Appthority calls the threat surface "Hospital Gown," but the risk to the enterprise is more serious than the cheeky name implies. As the report explains, the vulnerability is caused by app developers' failure to "properly secure the backend servers with firewalls and authentication" and exposes a huge volume of records that can easily be mined or ransomed by hackers with a trivial amount of reverse engineering and scanning.

Most disconcertingly, the exposure is difficult for enterprises to control or even detect because the breach occurs on the app vendors' back-end platforms.

"Only backend platform configuration improvements and possibly code changes within the affected app will eliminate the vulnerability. If the vulnerability is exclusively on the backend, even updating the app will not solve the problem," the report explains.

Because Appthority discovered dozens of terabytes of exposed data on a wide range of platforms, for this research it focused only on one platform for deeper technical analysis. The research team says it chose Elasticsearch due to enterprise preference for the non-relational database's flexible handling big data.

As the report explains, many developers use Elasticsearch and other programs like it to quickly mine and analyze persistently stored user data. The trouble is Elasticsearch, like many new non-relational databases, comes with a default configuration that's stripped down with few security assurances in place.

"Elasticsearch does not have built in security and access control and relies on external implementation of these security features with an authentication plugin or API for access, for example," the report explains. "If the Elasticsearch server is publicly accessible on the internet without these security features implemented, the data stored there will be available to anyone who knows where to look."

This is exactly what happened earlier this year when attackers hijacked hundreds of Elasticsearch servers in a crude ransom attack that was a copycat of a wave of attacks against similarly exposed MongoDB servers. According to security researchers with ERPScan who conducted custom scanning of exposed databases on the Internet when the attack hit, they founded over 43,000 instances of exposed Elasticsearch instances at that time.

"Those numbers can be considered a minimum," says Mathieu Geli of ERPScan. "The reason lies in the fact that administrators are testing and deploying in production new promising technologies to handle big data, but they usually forget about security aspects."

But as Appthority points out, it's not just administrators who are leaving Elasticsearch instances exposed. Non-relational databases like Elasticsearch, MongoDB, and Redis are designed with a minimalist bent to afford greater speed and flexibility in how applications can access and manipulate data.

The trade-off is that it falls on the developer who leans on Elasticsearch and similar back-end technologies to build in security hardening into their applications rather than relying on the platform itself to provide such hardening. This is the crux of the exposure described by Appthority.

In over 1,000 applications with the vulnerability, it is possible for a bad actor to reverse engineer the application to obtain an Elasticsearch server IP address and listen for traffic being sent in the clear with no authentication to that IP. Of those 1,000 applications, Appthority examined 39 in-depth and witnessed over 280 million records released by these few dozen applications. These were legitimate applications, "some developed by respected vendors with well vetted security practices," the report explains.

A few startling examples include Pulse Workspace - a VPN application widely used by organizations that includes pharmaceutical providers, a US federal court and a US missle company - as well as Jacto Apps, which connect IoT data from Jacto's commercial agricultural machinery to the company's centralized servers that store data on behalf of customers.

The vulnerability explained in the report offers a compelling case for organizations to get a better handle on how mobile data is stored once it leaves user's devices and enters the cloud.

"Every new mobile app that uses a back-end platform for data storage or analysis is a potential source of risk," the report's authors explain. "Enterprises relying on software developers to properly code and configure the backend connections are exposed."

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
myassignmenthelpdesk
50%
50%
myassignmenthelpdesk,
User Rank: Apprentice
8/29/2018 | 4:16:34 PM
My Assignment Help Desk
Hi, your blog is truly faultless and unique. Very wonderful your article, This is best article. I read really perfect your article more information one of other blog zone. So I like it. Thank so much for sharing this article with us. 
JeroldWinslow
50%
50%
JeroldWinslow,
User Rank: Apprentice
3/19/2018 | 3:34:34 AM
Term paper writing service
StudentsAssignmentHelp provides students with efficiently written essays, research papers, term paper writing service . We stand behind the excellence of our services each time, no matter the topic or difficulty.
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
4 Ways to Fight the Email Security Threat
Asaf Cidon, Vice President, Content Security Services, at Barracuda Networks,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.