New findings in the research report “All That We Let In” (press release and study link) show that fully 100% of the 30 popular mHealth apps analyzed by Approov and cybersecurity researcher Alissa Knight are vulnerable to API attacks that can allow unauthorized access to full patient records including protected health information (PHI) and personally identifiable information (PII). The study underscores the API shielding actions now urgently required to protect mHealth apps from API abuse. The researcher estimates that an average of 23 million mHealth users are potentially exposed from the 30 apps, and says that given that 318,000 mHealth apps are now available on major app stores and the pandemic is driving the growing use of mHealth apps, that number impacted is likely far greater.
<p>While it is a best practice for a mainstream application’s code to move through a thorough secure code review during development, organizations are often haphazard on following the same secure systems development lifecycle (SSDLC) process while developing mobile applications. By not applying the same rigorous process, any defective code will lead to vulnerabilities that can be exploited by even the most novice of hackers.</p>
<p>mHealth apps – even before the pandemic – have had real problems with security. Unfortunately, many of these types of apps don’t have strong security – they don’t allow MFA, they only require short passwords, and of course, the API-related issues this researcher has underscored. As stated in the report, we’re seeing people using healthcare apps even more now as a necessity driven by the pandemic.</p> <p> </p> <p>Another area of vulnerability is how the apps are put together. Are they using OS software? If so, are they checking for vulns in OS code? That’s a common problem, and it’s worth remembering that anything that’s free usually comes with a price.</p>
<p>This report is telling in how little attention is given to application security for mobile applications. It is disheartening to see how many basic security Best Practices are ignored in the development of mobile applications and the API\’s that allow them to access relevant data.</p> <p> </p> <p>Code review and remediation for all of the applications and API\’s in question is a monumental, but necessary, task to start. As is a review of the coding practices that led to such weak security in the first place.</p>