New HospitalGown Variant in iOS, Android Apps

More than 3,000 mobile iOS and Android apps have presumably been affected by a new HospitalGown threat variant recently discovered by Appthority. The threat occurs when app developers fail to require authentication to Google Firebase databases, potentially leaving private data exposed. Researchers first discovered what they call the HospitalGown vulnerability in 2017 after broadening their understanding of enterprise mobile threats by looking at the data leakage through back-end data stores that are unsecured. In a 31 May 2017 post, researchers wrote, “This vulnerability...can expose an enterprise to Big Data exfiltration, leakage of PII (personally identifiable information), and the potential for data being stolen and ransomed.” As of the time Appthority reported the vulnerability, the apps affected by the Firebase variant had been downloaded 620 million times for Android devices. Researchers said 62% of enterprises were exposed to the loss of sensitive data through this vulnerability. The vulnerability is reportedly both critical and significant and has likely impacted productivity, health and fitness, communication, cryptocurrency, finance and business apps. “The large number of vulnerable apps and the wide variety of data shows that enterprises can’t rely on mobile app developers, app store vetting or simple malware scans to address data security. To keep their data safe and stay in compliance with regulations like GDPR, HIPAA and PCI, they need to be investing in deep app analysis that detects these types of vulnerabilities,” Seth Hardy, Appthority director of security research, said in a 19 June press release.