Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

5/31/2017
12:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Mobile App Back-End Servers, Databases at Risk

Mobile app developers'casual use of back-end technology like Elasticsearch without security-hardening puts unsuspecting enterprises at grave risk of exposure.

Mobile application developers are putting enterprise data at risk by failing to secure the back-end servers and databases that feed their apps with data.

New research out today from Appthority shows a wide range of data exposures to and from back-end platforms based on both relational and non-relational database technology, including Elasticsearch, Redis, MongoDB, and MySQL, that are created due to developers' lack of implementation of authentication and blocking technology between the app and back-end servers.

Appthority calls the threat surface "Hospital Gown," but the risk to the enterprise is more serious than the cheeky name implies. As the report explains, the vulnerability is caused by app developers' failure to "properly secure the backend servers with firewalls and authentication" and exposes a huge volume of records that can easily be mined or ransomed by hackers with a trivial amount of reverse engineering and scanning.

Most disconcertingly, the exposure is difficult for enterprises to control or even detect because the breach occurs on the app vendors' back-end platforms.

"Only backend platform configuration improvements and possibly code changes within the affected app will eliminate the vulnerability. If the vulnerability is exclusively on the backend, even updating the app will not solve the problem," the report explains.

Because Appthority discovered dozens of terabytes of exposed data on a wide range of platforms, for this research it focused only on one platform for deeper technical analysis. The research team says it chose Elasticsearch due to enterprise preference for the non-relational database's flexible handling big data.

As the report explains, many developers use Elasticsearch and other programs like it to quickly mine and analyze persistently stored user data. The trouble is Elasticsearch, like many new non-relational databases, comes with a default configuration that's stripped down with few security assurances in place.

"Elasticsearch does not have built in security and access control and relies on external implementation of these security features with an authentication plugin or API for access, for example," the report explains. "If the Elasticsearch server is publicly accessible on the internet without these security features implemented, the data stored there will be available to anyone who knows where to look."

This is exactly what happened earlier this year when attackers hijacked hundreds of Elasticsearch servers in a crude ransom attack that was a copycat of a wave of attacks against similarly exposed MongoDB servers. According to security researchers with ERPScan who conducted custom scanning of exposed databases on the Internet when the attack hit, they founded over 43,000 instances of exposed Elasticsearch instances at that time.

"Those numbers can be considered a minimum," says Mathieu Geli of ERPScan. "The reason lies in the fact that administrators are testing and deploying in production new promising technologies to handle big data, but they usually forget about security aspects."

But as Appthority points out, it's not just administrators who are leaving Elasticsearch instances exposed. Non-relational databases like Elasticsearch, MongoDB, and Redis are designed with a minimalist bent to afford greater speed and flexibility in how applications can access and manipulate data.

The trade-off is that it falls on the developer who leans on Elasticsearch and similar back-end technologies to build in security hardening into their applications rather than relying on the platform itself to provide such hardening. This is the crux of the exposure described by Appthority.

In over 1,000 applications with the vulnerability, it is possible for a bad actor to reverse engineer the application to obtain an Elasticsearch server IP address and listen for traffic being sent in the clear with no authentication to that IP. Of those 1,000 applications, Appthority examined 39 in-depth and witnessed over 280 million records released by these few dozen applications. These were legitimate applications, "some developed by respected vendors with well vetted security practices," the report explains.

A few startling examples include Pulse Workspace - a VPN application widely used by organizations that includes pharmaceutical providers, a US federal court and a US missle company - as well as Jacto Apps, which connect IoT data from Jacto's commercial agricultural machinery to the company's centralized servers that store data on behalf of customers.

The vulnerability explained in the report offers a compelling case for organizations to get a better handle on how mobile data is stored once it leaves user's devices and enters the cloud.

"Every new mobile app that uses a back-end platform for data storage or analysis is a potential source of risk," the report's authors explain. "Enterprises relying on software developers to properly code and configure the backend connections are exposed."

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
JeroldWinslow
50%
50%
JeroldWinslow,
User Rank: Apprentice
3/19/2018 | 3:34:34 AM
Term paper writing service
StudentsAssignmentHelp provides students with efficiently written essays, research papers, term paper writing service . We stand behind the excellence of our services each time, no matter the topic or difficulty.
myassignmenthelpdesk
50%
50%
myassignmenthelpdesk,
User Rank: Apprentice
8/29/2018 | 4:16:34 PM
My Assignment Help Desk
Hi, your blog is truly faultless and unique. Very wonderful your article, This is best article. I read really perfect your article more information one of other blog zone. So I like it. Thank so much for sharing this article with us. 
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4031
PUBLISHED: 2019-10-16
IBM Workload Scheduler Distributed 9.2, 9.3, 9.4, and 9.5 contains a vulnerability that could allow a local user to write files as root in the file system, which could allow the attacker to gain root privileges. IBM X-Force ID: 155997.
CVE-2019-17626
PUBLISHED: 2019-10-16
ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.
CVE-2019-17627
PUBLISHED: 2019-10-16
The Yale Bluetooth Key application for mobile devices allows unauthorized unlock actions by sniffing Bluetooth Low Energy (BLE) traffic during one authorized unlock action, and then calculating the authentication key via simple computations on the hex digits of a valid authentication request. This a...
CVE-2019-17625
PUBLISHED: 2019-10-16
There is a stored XSS in Rambox 0.6.9 that can lead to code execution. The XSS is in the name field while adding/editing a service. The problem occurs due to incorrect sanitization of the name field when being processed and stored. This allows a user to craft a payload for Node.js and Electron, such...
CVE-2019-17624
PUBLISHED: 2019-10-16
In X.Org X Server 1.20.4, there is a stack-based buffer overflow in the function XQueryKeymap. For example, by sending ct.c_char 1000 times, an attacker can cause a denial of service (application crash) or possibly have unspecified other impact.