Mobile Health Apps Found to Expose Records of Millions of Users
An analysis of 30 popular mobile health (mHealth) applications has revealed that all of them expose the full patient records of millions of people.
Research conducted by Alissa Knight, partner at marketing agency Knight Ink, on behalf of mobile API threat protection firm Approov showed that the applications are vulnerable to API attacks that unauthorized parties could leverage to access protected health information (PHI) and personally identifiable information (PII).
With people increasingly relying on mHealth apps during the COVID-19 pandemic, researchers observed that such apps are now generating more user activities compared to other mobile apps.
The research study, All That We Let In – Hacking 30 Mobile Health Apps and APIs, is based on the analysis of 30 popular mHealth apps, with an average number of downloads of approximately 772,000. Thus, these apps had an estimated user base of roughly 23 million.
The number of affected users, however, is likely much higher, considering that there are over 300,000 mHealth apps available at the moment on major app stores, the researcher says.
None of the analyzed applications had certificate pinning implemented, thus allowing for man-in-the-middle (MitM) attacks, while 77% of them contained hardcoded API keys, tokens, and credentials. Half of the APIs did not authenticate requests with tokens and one quarter of the apps (27%) were not secured against reverse engineering.
During analysis, Knight discovered 114 hardcoded API keys and tokens that allowed for authenticating with the mHealth company and third-party APIs. Exposed secrets were identified for Branch.io, Cisco Umbrella, Google, Microsoft App Center, Stripe, AWS, AppsFlyer, Facebook, Sales Force, and more.
Half of the records that these applications exposed contained names, addresses, birthdates, social security numbers, allergies, medication data, and other sensitive information.
All of the tested API endpoints, the researcher says, were vulnerable to broken object level authorization (BOLA) attacks, thus providing access to PII and PHI even for patients not assigned to the clinician account. Half of the tested APIs provided access to pathology, X-rays, and clinical results of other patients.
The report also provides recommendations for mobile app developers to adopt a series of steps to ensure the protection of customer data and sensitive resources, such as ensuring the security of both the app and APIs, secure the development process and harden apps, implement certificate pinning to protect against MitM attacks, monitor implemented controls, and perform penetration testing.