Symantec Discusses Securing Private Mobile App Data in the Cloud

We’re living through a historic era as organizations rapidly migrate their data to the cloud. The advantages are many – not the least being the flexibility now enjoyed by employees, who, no matter their location, are free to use a myriad of mobile devices to access the information they need.

But no tech transition unfolds without growing pains and that applies as well to our increasingly cloud-and-mobile-centric world. In fact, researchers from the Modern OS Security Team at Symantec have discovered that more than half of all enterprise mobile devices contain at least one application that fails to protect users’ private and highly sensitive data in the cloud.

Put another way, it means that your private data was very likely exposed to the world without you, or as is often the case, the app developer, ever knowing ‑ that is, until it’s too late.

This latest discovery focuses on a new variant of the HospitalGown data exposure which occurs when app developers fail to require authentication or expose access keys to resources or files using Microsoft Azure storage services.

Beware of the Blob

The new HospitalGown data exposure occurs when app developers fail to require authentication or expose access keys to resources or files using Microsoft Azure storage services.

Microsoft cloud services have grown at a rapid pace bringing higher adoption by app developers. As we have seen in the past, that growth potentially brings with it an increase in data leaks, often from app developers continuing to overlook or ignore basic security practices.

In 2017, researchers on Symantec’s Modern OS Security Team (previously Appthority) discovered HospitalGown, named for data leaking through back-end data stores that are unsecured. HospitalGown results from app developers’ failure to properly secure back‑end servers with firewalls and authentication, leading to data exposure. Our initial report revealed that weakly secured back-end databases were being accessed via apps used by employees, partners and customers and resulted in numerous security risks, including extensive leaks of sensitive data, easier data access and ex-filtration, and increased risks for spear phishing, social engineering, data ransom and other attacks.

What our latest research suggests is that this not only puts the app customer data at risk ‑ but also threatens the security of the entire enterprise.

The main focus and findings will cover the most popular and widely used datastore we found in use, Azure Blob service. App developers use the Azure Blob service to serve or store images, documents, log files, or backups for disaster recovery and archiving, easily accessing the objects from anywhere in the world via HTTP or HTTPS, and widely supported with client libraries for mobile platforms.

Even though Microsoft adequately documents and provides the tools to protect resources and objects using the Azure Blob service, some app developers continue to ignore or understand how to properly secure files stored in the cloud.

Moreover, it takes little effort for attackers to locate open files and objects stored using the Azure Blob service. Cyber criminals can then gain access to millions of private mobile data app records by simply accessing the unguarded file.

That was the case here and it doesn’t make for a pretty picture. Apps connected to unsecured Azure Blob services have exposed more than 200 million data records, including: 1.6 million user and employee IDs with credentials and passwords. Other findings include the following:

• 460 mobile iOS and Android apps – over 1.1 billion Android downloads, alone — are leaking files from 223 unsecured Azure Blob service accounts

• Multiple app categories are impacted including tools, productivity, health and fitness, communication, finance and business apps

• More than 200 million database records are exposed, including: 1.6 million user and employee IDs with credentials and passwords

• Thousands of PHI (Protected Health Information) records (patient names, health symptoms, and medical history)

• Millions of GPS location records and vehicle tracking information (name and car registration numbers)

• Thousands of documents containing corporate contracts, invoices, and inventory costs and tracking data

Research Methodology

In late 2018, we continued to look at techniques we've developed identifying back-end servers connecting to mobile apps. We then looked at the most popular data stores across hundreds of thousands of mobile apps we've analyzed and identified the back-end services to which they were sending data. Using these findings, we identified Microsoft cloud storage solution, "Azure Storage", highly popular among app developers. Azure Storage currently includes four different services:

• Azure Blobs (optimized for massive amounts of data, streaming video and audio, and storing data for backup)
• Azure Files (store files accessible to SMB, primarily used for on-premise or internal apps)
• Azure Queues (store lists of messages)
• Azure Tables (store NoSQL)

The type of Azure storage service, account, and accessible resources are identifiable within the URL used by the app when connecting to the cloud service. The URI format includes the Azure account name, storage type (blob, table, queue, or file) and specific resources and REST API operations. For example, an app accessing an Azure Blob document in the container "human_resources" with account "acme" would use the following URL:

https://<acme>.blob.core.windows.net/human_resources/reviews/wilecoyote.docx

We looked across all our apps identifying the app using this URI format to connect to Azure storage services. In total, we found 8225 mobile apps connecting to over 25000 different Azure accounts. Azure Blob Storage was the most widely used by mobile app developers, by far, as seen in the following table,

Total Apps: 8225

Next, we looked at security controls (authentication and authorization) available and best security practices recommended by Microsoft. In almost all cases, we find developers failing to secure data entirely (no authentication) or improperly securing data by doing exactly what the security documents say not to do. From looking and comparing how app developers are accessing cloud resources with Azure storage services, this looks to be the case yet again. We found close to 1 in 4 app developers using the Azure Blob service exposing files without any authentication, and worse, app developers including hard-coded shared access keys exposing all files and directories under a Microsoft Azure account. Again, exactly what the security best practice documents instruct app developers not to do.

In a potential threat model, a bad actor could:

• Parse strings and/or look for network connections from apps that are connecting to Azure Blob services
• Parse app strings looking for hard-coded account access keys, following the format of "AccountName=<account>,SharedKey=<Access Key>=="
• Query Azure blob service "https://<account>.blob.core.windows.net/?comp=list" retrieving the full list of exposed files and containers

Our research team applied this threat model to over 2.8 million iOS and Android apps found on mobile devices in enterprises. We then pulled a list of exposed containers and files for each account, storing part of the data in a secure location for further analysis.

To determine the impact of the data being leaked, we evaluated the type of sensitive data exposed. We used Data Loss Prevention (DLP) techniques to identify confidential or sensitive information. These included the types of files and data contained, identifying patterns that characterize sensitive data such as credit card numbers, passwords, corporate sensitive data, etc. After running the analysis across all apps, we had a clear picture of the impact and scale of the data exposure.

Compared to previous HospitalGown findings focusing on data and files used by the mobile app, this picture stretched into the enterprise, often exposing internal files and sensitive data in use by the enterprise connected to the mobile app. Full corporate database backup files were exposed - often side by side - with less sensitive files used and accessed by the mobile app. Further, we found corporate internal documents, financial tables, customer invoice and billing details (including full credit card numbers and SWIFT codes), internal employee documents, medical records and other highly sensitive files leaked from exposed Azure Blob Storage containers.

Defanging Threats to Enterprise Data

When internal company data gets leaked, organizations lose intellectual property, damaging their viability and competitiveness. Indeed, the app leaks we found included corporate private keys and access credentials. With this information in hand, cyber criminals have free reign in a corporate network and can potentially exfiltrate sensitive intellectual property, such as patent information and plans for future products.

Organizations can protect themselves from HospitalGown by following best practices for sharing and using resources from the cloud storage provider.  Microsoft publishes a security checklist and guidance for Azure Storage that can be found here.  In particular, developers should never reuse cloud shares meant for user data with internal corporate data, and should ensure all shares are appropriately locked down with permissions designed for the data being stored.