- The affected apps are connecting to unsecured databases on popular enterprise services such as Elasticsearch or MySQL, which are leaking large amounts sensitive data.
- Apps that used just one of these services exposed almost 43TB of data.
- Multiple affected apps were able to leak PII including passwords and travel details, payment details, location and travel details, corporate profile data (including employee VPN PINs, emails and phone numbers) and customer data.
- Due to the risk’s location in the architecture stack of mobile app vendors, enterprise security teams don’t have visibility into the risk.
- Multiple times, data have been accessed and ransomed by unauthorized persons in multiple cases.
- Even apps that have been removed form devices and app stores pose a risk because of sensitive data that is still stored on unsecure servers.
According to the company, its Mobile Threat Team discovered the HospitalGown vulnerabilities using a combination its dynamic app analysis tool with a new back end scanning method. This scan looked at the network traffic on more that 1 million enterprise mobile apps, iOS and Android. Appthority stressed that all HospitalGown vulnerabilities were the same as the RedLock reports.