Application security isn’t just a developer’s problem. IT staff and the security team also have roles to play in setting up the infrastructure and implementing security controls. When IT administrators forget the security basics for the app’s back-end servers, they undermine the developer’s good security decisions.
Researchers at mobile security company Appthority recently analyzed apps installed on enterprise devices (including both mobile devices issued and managed by enterprise IT as well as personal devices in a BYOD scenario) and found more than 1,000 apps where data was being exposed because the apps’ backend servers lacked security controls. The servers, which hosted databases for storing user data and analytic tools to mine and analyze collected data, didn’t have firewalls, did not require authentication, and was publicly accessible from the internet.
Appthority found that those 1,000 apps were "connected to over 21,000 open Elasticsearch servers, revealing almost 43 TB of exposed data,” said Seth Hardy, Appthority’s director of security research.
Exposed data included personally identifiable information (PII) including passwords, location, travel and payment details, corporate profile data such as emails and phone numbers, and retail customer data. These are the types of information that can be used for fraud and credential-based attacks, or to launch secondary attacks such as phishing. The data exposure didn’t end if the user removed the app from his or her device, since the data was still on the leaky server and remained “at risk of being copied or downloaded by unauthorized parties,” the researchers wrote in their analysis. The data was accessed by unauthorized parties “in multiple cases” and ransomed.
Like many of the new non-relational databases, Elasticsearch doesn’t have built-in security and access control, and it is best practice to implement security externally via authentication plugins and secure APIs. Anyone who stumbles upon the Elasticsearch server, either by scanning the internet or discovering the server IP address through other means, would have full access to the data stored if security features had not been turned on. While Appthority focused on Elasticsearch because it is widely used for large enterprise data sets, multiple back-end platforms had the same problem, including Redis, MongoDB, MySQL, CouchDB and CouchBase.
No amount of on-device application security can make up for relaxed security where the application stores user data. — Seth Hardy
Developers need to make sure they are baking security right into the application code and protecting how the app handles the data, but as Appthority’s research shows, they also need to know how the back-end servers and data stores are being configured. The security best practices for these systems are well-documented, but someone needs to be checking and verifying that these controls are implemented so that the data remains protected.
Sign up for Computerworld eNewsletters.