Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Uncategorized

Mobile Health Apps Found to Expose Records of Millions of Users

An analysis of 30 popular mobile health (mHealth) applications has revealed that all of them expose the full patient records of millions of people.

An analysis of 30 popular mobile health (mHealth) applications has revealed that all of them expose the full patient records of millions of people.

Research conducted by Alissa Knight, partner at marketing agency Knight Ink, on behalf of mobile API threat protection firm Approov showed that the applications are vulnerable to API attacks that unauthorized parties could leverage to access protected health information (PHI) and personally identifiable information (PII).

With people increasingly relying on mHealth apps during the COVID-19 pandemic, researchers observed that such apps are now generating more user activities compared to other mobile apps.

The research study, All That We Let In – Hacking 30 Mobile Health Apps and APIs, is based on the analysis of 30 popular mHealth apps, with an average number of downloads of approximately 772,000. Thus, these apps had an estimated user base of roughly 23 million.

The number of affected users, however, is likely much higher, considering that there are over 300,000 mHealth apps available at the moment on major app stores, the researcher says.

None of the analyzed applications had certificate pinning implemented, thus allowing for man-in-the-middle (MitM) attacks, while 77% of them contained hardcoded API keys, tokens, and credentials. Half of the APIs did not authenticate requests with tokens and one quarter of the apps (27%) were not secured against reverse engineering.

During analysis, Knight discovered 114 hardcoded API keys and tokens that allowed for authenticating with the mHealth company and third-party APIs. Exposed secrets were identified for Branch.io, Cisco Umbrella, Google, Microsoft App Center, Stripe, AWS, AppsFlyer, Facebook, Sales Force, and more.

Half of the records that these applications exposed contained names, addresses, birthdates, social security numbers, allergies, medication data, and other sensitive information.

Advertisement. Scroll to continue reading.

All of the tested API endpoints, the researcher says, were vulnerable to broken object level authorization (BOLA) attacks, thus providing access to PII and PHI even for patients not assigned to the clinician account. Half of the tested APIs provided access to pathology, X-rays, and clinical results of other patients.

The report also provides recommendations for mobile app developers to adopt a series of steps to ensure the protection of customer data and sensitive resources, such as ensuring the security of both the app and APIs, secure the development process and harden apps, implement certificate pinning to protect against MitM attacks, monitor implemented controls, and perform penetration testing.

Related: Norway Suspends Virus-Tracing App After Privacy Concerns

Related: New Trials in England for Troubled Virus Tracing App

Related: Report: Apps Give Facebook Sensitive Health and Other Data

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Former Barclay’s CISO Oliver Newbury has joined ransomware protection firm Halcyon as a strategic advisor

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.