More than 3,000 mobile iOS and Android apps have presumably been affected by a new HospitalGown threat variant recently discovered by Appthority. The threat occurs when app developers fail to require authentication to Google Firebase databases, potentially leaving private data exposed.
Researchers first discovered what they call the HospitalGown vulnerability in 2017 after broadening their understanding of enterprise mobile threats by looking at the data leakage through back-end data stores that are unsecured. In a 31 May 2017 post, researchers wrote, “This vulnerability...can expose an enterprise to Big Data exfiltration, leakage of PII (personally identifiable information), and the potential for data being stolen and ransomed.”
As of the time Appthority reported the vulnerability, the apps affected by the Firebase variant had been downloaded 620 million times for Android devices. Researchers said 62% of enterprises were exposed to the loss of sensitive data through this vulnerability. The vulnerability is reportedly both critical and significant and has likely impacted productivity, health and fitness, communication, cryptocurrency, finance and business apps.
“The large number of vulnerable apps and the wide variety of data shows that enterprises can’t rely on mobile app developers, app store vetting or simple malware scans to address data security. To keep their data safe and stay in compliance with regulations like GDPR, HIPAA and PCI, they need to be investing in deep app analysis that detects these types of vulnerabilities,” Seth Hardy, Appthority director of security research, said in a 19 June press release.
Because mobile developers are under pressure to release a product, “the rush to market can result in developers and line-of-business owners overlooking rather basic security practices that might prevent this sort of issue. It's not hard to find mobile development talent, but finding a mobile developer with security expertise is rare, and so developers need all the help they can get," said Samuel Bakken, senior product marketing manager, OneSpan.
Given that mobile application security is so critical to enterprise security, “this vulnerability underscores why sectors such as healthcare and finance are increasingly adopting multilayered security strategies and incorporating passive biometrics and behavioral analytics to help ensure that the previously stolen data cannot be used for fraudulent purposes,” said Ryan Wilk, VP of customer success, NuData Security.