1. https://appdevelopermagazine.com/security
  2. https://appdevelopermagazine.com/enterprise-threat-dubbed-hospitalgown-infests-thousands-of-apps/
6/6/2017 2:01:37 PM
Enterprise threat dubbed HospitalGown infests thousands of apps
Enterprise App Vulnerability,Mobile App Vulnerability,HospitalGown Vulnerability
/Enterprise-Threat-Dubbed-HospitalGown-App-Developer-Magazine_52u81v4c.jpg
App Developer Magazine

Security

Enterprise threat dubbed HospitalGown infests thousands of apps


Tuesday, June 6, 2017

Richard Harris Richard Harris

Mobile backend enterprise security threat, dubbed HospitalGown, identified by Appthority.

Appthority, an enterprise mobile threat protection company, published research on a newly discovered backend data exposure vulnerability, dubbed HospitalGown, that highlights the connection between mobile apps and insecure backend databases containing enterprise data. Appthority documented more than 1,000 apps with this vulnerability, and researched in detail 39 applications with big data leaks, which exposed an estimated 280 million records. These records were accessible as a result of weakly secured backends and did not require authentication of any kind to access the data.

Data leakage, especially leaks of personally identifiable information (PII), significantly increase the risk of spear phishing, brute force login, social engineering, and data ransom attacks on enterprises with employees, partners or customers that currently or have ever used the compromised apps. Appthority has reached out to the mobile application developers, app stores, and hosting providers associated with the data leaks.

“HospitalGown poses a direct risk to enterprises, opening them to an easy breach, exfiltration of sensitive data, and the costs from remediation, lawsuits, compliance infractions and loss of brand trust,” said Seth Hardy, Appthority Director of Security Research. “No amount of on-device application security can make up for relaxed security where the application stores user data. A breach at the backend takes the magnitude of the threat from being focused on a handful of devices to a much broader exposure for an entire enterprise, which could result in big data leaks or ransom of sensitive data.”

The Appthority Mobile Threat Team (MTT) discovered HospitalGown using an innovative backend scanning technique, added as a new component to the company’s dynamic mobile app analysis. Using this technique, the MTT analyzed the network traffic of over a million enterprise mobile iOS and Android apps and led to the discovery of over 21,000 open Elasticsearch servers with unprotected data connected to apps frequently found on enterprise devices.

“The HospitalGown threat is both real for enterprises and significant,” said Ed Amoroso, CEO of TAG Cyber. “It underscores the need for the in depth and innovative mobile threat defense solution that Appthority provides.”

Key findings:


- Affected apps are connecting to unsecured data stores on popular enterprise services, such as Elasticsearch and MySQL, which are leaking large amounts of sensitive data

- Apps using just one of these services revealed almost 43TB of exposed data

- Multiple affected apps leaked some form of PII, including passwords, location, travel and payment details, corporate profile data (including employees’ VPN PINs, emails, phone numbers), and retail customer data

- In multiple cases, data has already been accessed by unauthorized individuals and ransomed

- Even apps that have been removed from devices and the app stores still pose an exposure risk due to the sensitive data that remains stored on unsecured servers
Enterprise threat dubbed HospitalGown infests thousands of apps







Subscribe to App Developer Magazine

Become a subscriber of App Developer Magazine for just $5.99 a month and take advantage of all these perks.

MEMBERS GET ACCESS TO

  • - Exclusive content from leaders in the industry
  • - Q&A articles from industry leaders
  • - Tips and tricks from the most successful developers weekly
  • - Monthly issues, including all 90+ back-issues since 2012
  • - Event discounts and early-bird signups
  • - Gain insight from top achievers in the app store
  • - Learn what tools to use, what SDK's to use, and more

    Subscribe here



Stay Updated

Sign up for our newsletter for the headlines delivered to you

SuccessFull SignUp

Featured Stories


Enviromates new browser launches
Enviromates new browser launches Monday, July 6, 2026




AI Executive Order aims to balance security and innovation
AI Executive Order aims to balance security and innovation Monday, June 29, 2026


Top manufacturing trends for 2026
Top manufacturing trends for 2026 Tuesday, June 23, 2026


API scoring tool shows if your API is ready for AI
API scoring tool shows if your API is ready for AI Monday, June 22, 2026


Agentic AI Reality Check: The Million-Dollar Mistake Hiding Inside ERP
Agentic AI Reality Check: The Million-Dollar Mistake Hiding Inside ERP Friday, June 19, 2026


Influencer Debate AI Anthropic IPO Reveals Industry Concerns
Influencer Debate AI Anthropic IPO Reveals Industry Concerns Wednesday, June 17, 2026


Subscription apps are losing users faster than ever
Subscription apps are losing users faster than ever Tuesday, June 16, 2026


DomainTools announces real time threat feeds
DomainTools announces real time threat feeds Monday, June 15, 2026


Take It Down Act results in warning letters from FTC
Take It Down Act results in warning letters from FTC Friday, June 12, 2026


Nvidia valuation fears grow
Nvidia valuation fears grow Friday, June 12, 2026


Get More App News