Mobile Health Apps Expose Protected Health Information via APIs

Health care providers have become the primary targets of cybercriminals. In 2020, several data breaches and cyberattacks were reported on health care organizations globally. Cybercriminals often focus on exploiting vulnerabilities on connected medical devices to pilfer patients’ sensitive information.

A new study from Approov and cybersecurity researcher Alissa Knight revealed that popular mobile health (mHealth) applications are potentially exposing millions of patients’ personally identifiable information (PII), including social security numbers, addresses, diagnosis history, birthdates, medications, protected health information (PHI), etc.

The survey “All That We Let In” found Application Programming Interface (API) vulnerabilities in the 30 popular mobile health apps, affecting over 23 million mHealth users. Since more than 318,000 mHealth apps are available on major app stores, it is suspected that the number of patients impacted is greater than expected.

Key Highlights

• Of the 30 popular apps tested, 77% contained hardcoded API keys, some of which don’t expire, and 7% contained hardcoded usernames and passwords. Nearly 7% of the API keys belonged to third-party payment processors that warn against hard-coding their secret keys in plain text.
• 50% of the APIs tested did not authenticate requests with tokens.
• 100% of API endpoints tested were vulnerable to BOLA (Broken Object Level Authorization) attacks that allowed the researchers to view the PII and PHI for patients that were not assigned to the researcher’s clinician account.
• 50% of the APIs tested allowed medical professionals to access the pathology, X-rays, and clinical results of other patients.
• A replay vulnerability allowed the researcher to replay days-old FaceID unlock requests that allowed to take over other users’ sessions.

Remediation

mHealth platform developers are advised to follow safety measures to protect their customer data and sensitive resources. These include:

• Recognize that synthetic traffic to the API is an issue and arises from bots and automated tools, not from genuine apps and legitimate data requests.
• Secure the development process and harden apps but ensure that run-time protection is also in place.
• Certificate pinning is critical but often left undone because expired certificates can block apps and impact the customer’s experience. However, when done correctly, certificate pinning does not impact either performance or availability.
• Organizations and developers need to monitor the effectiveness of the controls they implement and adjust them easily – both for compliance with HIPAA mandates and to sustain data security and privacy.
• Penetration testing and static and dynamic code analysis should be performed regularly.

“These findings are disappointing but not at all surprising. The fact is that leading developers and their corporate and organizational customers consistently fail to recognize that APIs servicing remote clients such as mobile apps need a new and dedicated security paradigm. Because so few organizations deploy protections for APIs that ensure only genuine mobile app instances can connect to backend servers, these APIs are an open door for threat actors and present a real nightmare for vulnerable organizations and their patients,” said David Stewart, Founder and CEO of Approov.