Security Experts:

Connect with us

Hi, what are you looking for?



Mobile Health Apps Found to Expose Records of Millions of Users

An analysis of 30 popular mobile health (mHealth) applications has revealed that all of them expose the full patient records of millions of people.

An analysis of 30 popular mobile health (mHealth) applications has revealed that all of them expose the full patient records of millions of people.

Research conducted by Alissa Knight, partner at marketing agency Knight Ink, on behalf of mobile API threat protection firm Approov showed that the applications are vulnerable to API attacks that unauthorized parties could leverage to access protected health information (PHI) and personally identifiable information (PII).

With people increasingly relying on mHealth apps during the COVID-19 pandemic, researchers observed that such apps are now generating more user activities compared to other mobile apps.

The research study, All That We Let In – Hacking 30 Mobile Health Apps and APIs, is based on the analysis of 30 popular mHealth apps, with an average number of downloads of approximately 772,000. Thus, these apps had an estimated user base of roughly 23 million.

The number of affected users, however, is likely much higher, considering that there are over 300,000 mHealth apps available at the moment on major app stores, the researcher says.

None of the analyzed applications had certificate pinning implemented, thus allowing for man-in-the-middle (MitM) attacks, while 77% of them contained hardcoded API keys, tokens, and credentials. Half of the APIs did not authenticate requests with tokens and one quarter of the apps (27%) were not secured against reverse engineering.

During analysis, Knight discovered 114 hardcoded API keys and tokens that allowed for authenticating with the mHealth company and third-party APIs. Exposed secrets were identified for, Cisco Umbrella, Google, Microsoft App Center, Stripe, AWS, AppsFlyer, Facebook, Sales Force, and more.

Half of the records that these applications exposed contained names, addresses, birthdates, social security numbers, allergies, medication data, and other sensitive information.

All of the tested API endpoints, the researcher says, were vulnerable to broken object level authorization (BOLA) attacks, thus providing access to PII and PHI even for patients not assigned to the clinician account. Half of the tested APIs provided access to pathology, X-rays, and clinical results of other patients.

The report also provides recommendations for mobile app developers to adopt a series of steps to ensure the protection of customer data and sensitive resources, such as ensuring the security of both the app and APIs, secure the development process and harden apps, implement certificate pinning to protect against MitM attacks, monitor implemented controls, and perform penetration testing.

Related: Norway Suspends Virus-Tracing App After Privacy Concerns

Related: New Trials in England for Troubled Virus Tracing App

Related: Report: Apps Give Facebook Sensitive Health and Other Data

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Cybersecurity Funding

B2B payment security provider NsKnox raised $17 million in a new funding round that brings the total raised by the company to $35.6 million.


Privacy experts have said they fear pregnancies could be surveilled and the data shared with police or sold to vigilantes.


Regularly rebooting smartphones can make even the most sophisticated hackers work harder to maintain access and steal data from a phone


An Italy-based firm's hacking tools were used to spy on Apple and Android smartphones in Italy and Kazakhstan, Google said Thursday, casting a light...


Google has removed roughly 1,700 unique applications from its Google Play app store that were part of a family of potentially unwanted programs. 


Steven Mnuchin’s Liberty Strategic Capital acquires majority stake in Dallas, Texas-based Zimperium 


The US Senate voted Thursday to bar TikTok from being downloaded onto US government employees' telephones, intensifying US scrutiny of the popular Chinese-owned video...