Mobile Backend Remains the Achilles' Heel of Mobile EcosystemFriday, October 5, 2018
APIs and Web Services are widely used by modern mobile applications. Often underprotected, they are a common source of critical flaws and data breaches.
Mobile backend presents a completely different landscape to in-house desktop and web applications. While mobile provides many opportunities for streamlining and interconnectivity, these same opportunities often hide a new category of vulnerability.
What is ‘backend’ for mobile apps?
In the data center, the ‘backend’ for most applications refers to all the aspects of the app that users don’t directly interact with or see. Data storage, servers andconnectivity with other applications are all part of the backend. Most of the application’s code makes up its backend, while the user interface and visible functions form the frontend.
It’s not so simple in the mobile world. Here, the frontend is largely a self-contained app on a mobile device, while the backend is usually a database (and all the IT infrastructure running the database) held somewhere in the cloud. If the database owner wishes to profit from the knowledge stored in the database, he will almost certainly develop APIs or SDKs for third parties to use in developing mobile apps.
A flaw in an API creates a security vulnerability in any app using it
All too often, those APIs and SDKs contain flaws that can be used by hackers to access the cloud data without having to hack either the app or the cloud repository. A flaw in an API creates a security vulnerability in any app using it; a security flaw in an SDK could mean that most apps made with it have that flaw baked in.
In some cases, especially in smaller limited purpose private apps, there is no API involved – just a direct connection between the app and the database. In these cases, if the app does not sufficiently authenticate with the database, data can again be stolen without any need to directly hack either the frontend or the backend.
Issues of connectivity with limited purpose databases
There have been three recent examples of mobile apps insecurely connecting to private databases – all coincidentally involving conference software: the RSA Security Conference held in April, the Black Hat conference in August, and the UK Tory party annual conference held this very week.
Both the 2018 BlackHat and RSA security conference appshad severe backend data weaknesses
At RSAC,Twitter user @svblxyz (handle svbl) discovered a data exposure in the RSA Conference’s mobile app. Thanks to an insecure API, attendees’ first and last names were available to freely download from the app’s backend. It’s not known whether more personal details were exposed; svbl only confirmed that he was able to access names, after which the vulnerability was reported and swiftly corrected by RSAC staff. It’s very possible, however, that the data could have included phone numbers, email addresses or any other information taken as part of the event registration.
It seems that in this instance, the backend database was discoverable via an insecure API that could be accessed via credentials hardcoded into the app.
Later in the year, security researcher and blogger NinjaStyle blogged that he was able to extract personal data of the BlackHat attendees. Using a decompiled Android NFC reader application, along with a bit of deduction and ingenuity, he was able to devise a method to gain access to the complete personal data of any attendee.
The most hilarious – perhaps ridiculous – conference app flaw emerged this week at the Tory party conference. There seems to have been no authentication other than the user ID (which was the user’s email address) between the app and the backend database of registered attendees. This meant that any attacker (in this instance, usually just a prankster) could guess the target attendee’s email address and log straight into that user’s database details.
The Guardian columnist Dawn Foster tweeted, “The Tory conference app allows you to log in as other people and view their contact details just with their email address, no emailed security links, and post comments as them. They’ve essentially made every journalist, politician and attendee’s mobile number public. Fantastic.”
While so absurd that it is funny, this little episode could have a sting in its tail. The UK data protection regulator (the ICO) is investigating to see if it breaches GDPR regulations. If it does, the Tory party could be hit with a sizable GDPR fine – and GDPR (and other national privacy laws) is something that all app developers should bear in mind.
The Hospitalgown issue
The lack of a secure connection between the mobile app and its backend has been described as the Hospitalgown vulnerability – it leaves the users’ backside exposed. The term was first used by Appthority.
Hospitalgown is an indirect vulnerability in that it’s not a flaw in the core code of the app but occurs when backend services are used without ensuring proper security – it is not an exploit but a vulnerable condition. It could be the result of the developer’s error, or a security issue in the service itself.
Appthority scanned several backend platforms – Elasticsearch, MySQL, Redis, CouchDB and MongoDB – discovering an alarming 43TB of exposed, improperly-secured data in total. This data included sensitive PII such as passwords, payment information, and both corporate and customer details.
Hospitalgown weaknesses are becoming an increasingly popular target for hackers as it requires little technical knowledge or effort to exploit. Since Hospitalgown is an innate weakness in a mobile app’s backend infrastructure, all an attacker needs to do is identify the vulnerability. No complex malware, technical cyber-attacks or intricate coding knowledge is required when so much data is left exposed to anyone who knows where to look.
Appthority’s Mobile Threat Team’s scan of backend platforms uncovered 43 terabytes of exposed data
Mobile backend services; not so secure
It’s becoming more and more common for the mobile apps to outsource the backend functionality to cloud-based service providers. Known as Mobile Backend as a Service (MBaaS, or sometimes just BaaS or alternatively Platform as a Service), this can greatly streamline an app’s development and maintenance. However, BaaS can lead to severe security issues; as soon as a service or an aspect of that service develops a security flaw or is breached, it means everything using that service is insecure too.
Google Firebase, one of the most popular BaaS platforms with Android developers, was shown to have a misconfiguration issue in another Appthority report this year. Over 3,000 mobile applications were left improperly secured, exposing a total of 113GB of data in 2300 unsecured Firebase databases. Exposed records included plaintext passwords, financial records and other personal information.
Since this was a misconfiguration error, it can be put down to flawed implementation of Google’s service rather than an innate problem with the platform or a malicious attack. However, BaaS platforms are becoming increasingly attractive targets for hackers. In 2017, Azure – Microsoft’s platform for BaaS and other cloud services – saw a 300% increase in cyber-attacks.
In 2017, Microsoft’s Azure backend service platform saw a 300% rise in cyber-attacks
A MitM attack
Backend problems are not always down to misconfiguration. At the end of 2017, researchers from the university of Birmingham discovered a man-in-the-middle attack that could be leveraged against banking apps. If the attacker is on the same network (for example, if the app is used over public wifi), the MitM attack could retrieve the user’s credentials and gain access to the backend bank account.
It was estimated that 10 million customers of HSBC, NatWest, Co-op and Bank of America Health were exposed to this vulnerability.
High-Tech Bridge CEO Ilia Kolochenko explains the underlying problem with mobile apps and their backend. “In most of the cases, exploitation of a mobile app vulnerability requires some pre-existing conditions, such as an already installed malicious app on the same device or attacker’s access to the victim’s data channel (e.g. public wi-fi). All of this makes mobile apps a not very attractive target for cybercriminals, who would rather target the mobile backend – APIs and Web Services – which can be an Alibaba's cave in the case of a breach. While many companies do not even consider protecting the mobile backend with a WAF, believing that it is unnecessary, mobile apps are just the tip of the iceberg.”
Quite simply, it is easier to attack the relationship between the mobile app and the backend than to attack the mobile app itself. Even if the app’s mobile backend has more in-house development than most, vulnerabilities can still be spread over different APIs, hosting or data storage. To combat this problem, High-Tech Bridge has introduced ImmuniWeb MobileSuite. Part of its combined AI and manual testing platform, ImmuniWeb MobileSuite scans and tests both frontend and backend, looking for privacy and security risks and allowing you to keep every aspect of your app secure.