mHealth App APIs Vulnerable To Attacks Exposing PII & PHI – Experts Insight

New findings in the research report “All That We Let In” (press release and study link) show that fully 100% of the 30 popular mHealth apps analyzed by Approov and cybersecurity researcher Alissa Knight are vulnerable to API attacks that can allow unauthorized access to full patient records including protected health information (PHI) and personally identifiable information (PII). The study underscores the API shielding actions now urgently required to protect mHealth apps from API abuse. The researcher estimates that an average of 23 million mHealth users are potentially exposed from the 30 apps, and says that given that 318,000 mHealth apps are now available on major app stores and the pandemic is driving the growing use of mHealth apps, that number impacted is likely far greater.

Notify of
3 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Tom Garrubba
Tom Garrubba , Senior Director and CISO
InfoSec Expert
February 10, 2021 11:34 am

<p>While it is a best practice for a mainstream application’s code to move through a thorough secure code review during development, organizations are often haphazard on following the same secure systems development lifecycle (SSDLC) process while developing mobile applications. By not applying the same rigorous process, any defective code will lead to vulnerabilities that can be exploited by even the most novice of hackers.</p>

Last edited 1 year ago by Tom Garrubba
Chloé Messdaghi
Chloé Messdaghi , VP of Strategy
InfoSec Expert
February 10, 2021 11:13 am

<p>mHealth apps – even before the pandemic – have had real problems with security. Unfortunately, many of these types of apps don’t have strong security – they don’t allow MFA, they only require short passwords, and of course, the API-related issues this researcher has underscored. As stated in the report, we’re seeing people using healthcare apps even more now as a necessity driven by the pandemic.</p> <p> </p> <p>Another area of vulnerability is how the apps are put together. Are they using OS software? If so, are they checking for vulns in OS code? That’s a common problem, and it’s worth remembering that anything that’s free usually comes with a price.</p>

Last edited 1 year ago by Chloé Messdaghi
Saryu Nayyar
Saryu Nayyar , CEO
InfoSec Expert
February 10, 2021 11:07 am

<p>This report is telling in how little attention is given to application security for mobile applications. It is disheartening to see how many basic security Best Practices are ignored in the development of mobile applications and the API\’s that allow them to access relevant data.</p> <p> </p> <p>Code review and remediation for all of the applications and API\’s in question is a monumental, but necessary, task to start. As is a review of the coding practices that led to such weak security in the first place.</p>

Last edited 1 year ago by Saryu Nayyar
Would love your thoughts, please comment.x