New Study Shows All mHealth Apps Are Vulnerable to API Attacks
Cybersecurity Researcher Tests 30 Leading Mobile Health (mHealth) Apps. Results Show 100% of Them are Vulnerable.
A recent study (All That We Let In), conducted by cybersecurity firm Approov and researcher Allissa Knight, shows that mobile health (mHealth) apps are vulnerable to API (Application Programming Interfaces) attacks which could allow unauthorized access to patient records, such as Protected Health Information (PHI) and Personally Identifiable Information (PII).
This is a concern among all the 23 million patients who expect their health information to be secure when they download an app. You can read the full study here.
Cybersecurity Researcher Tests 30 Leading mHealth Apps (Mobile Health Apps)
COVID-19 pandemic led to a dramatic increase in app use, more than 60% of people are downloading a mHealth app and about 318,000 mHealth apps are available for download through major app stores. Therefore, attacks on these endpoints are increasing.
In order to estimate vulnerabilities, Knight analyzed the leading apps over the course of six months, trying to break into the APIs of 30 different mHealth app vendors, with the agreement she wouldn’t disclose the vulnerable ones (as per responsible disclosure guidelines).
Results Show 100% of mHealth Apps are Vulnerable
She discovered they were all vulnerable at some level, being able to access patient records, and found that 50% of the records accessed contained sensitive information such as social security numbers, names, addresses, information about allergies and medications, and other sensitive health data, the report stated.
“Look, let’s point the pink elephant out in the room. There will always be vulnerabilities in code so long as humans are writing it. Humans are fallible. But I didn’t expect to find every app I tested to have hard-coded keys and tokens and all of the APIs to be vulnerable to Broken Object Level Authorization (BOLA) vulnerabilities allowing me to access patient reports, X-rays, pathology reports, and full PHI records in their database.” Allissa Knight, researcher.
Broken Object Level Authorization (BOLA) is the most systemic API vulnerability today and allows a threat actor to substitute the ID of a resource with the ID of another.
“When the object ID can be directly called in the URI, it opens the endpoint up to ID enumeration that allows an adversary the ability to read objects that don’t belong to them. These exposed references to internal implementation objects can point to anything, whether it’s a file, directory, database record or key.”
What Do the Numbers on mHealth Apps Say?
The study revealed that 100% of API endpoints tested were vulnerable to BOLA attacks that allowed the researcher to view the PII and PHI for patients that were not assigned to the researcher’s clinician account.
Also, 77% of the tested mHealth apps contained hard-coded API keys, some of which will not expire, which made them vulnerable to attacks that would allow the attacker to intercept information as it is exchanged. Furthermore, 7% contained hardcoded usernames and passwords.
For another 50% of the APIs tested a token-based authentication wasn’t even requested, whilst 63% of the apps contained hardcoded private keys.
Knight also found API keys and tokens for Google, Branch.io, Braze, Tune, Optimizely, Cisco Umbrella, Microsoft App Center, Bugsnag, Contentful, Stripe, Amazon AWS, Radaee, Sendbird, AppsFlyer, Facebook, Vonage, SalesForce, and Mparticle.
According to the final results, the total number of users exposed by the 318,000 mobile health apps now available on major app stores is likely far greater.
“These findings are disappointing but not at all surprising. The fact is that leading developers and their corporate and organizational customers consistently fail to recognize that APIs servicing remote clients such as mobile apps need a new and dedicated security paradigm. Because so few organizations deploy protections for APIs that ensure only genuine mobile app instances can connect to backend servers, these APIs are an open door for threat actors and present a real nightmare for vulnerable organizations and their patients.” David Stewart, Approov Founder and CEO.
All the developers and organizations using mHealth mobile applications are advised to adopt a few important key steps in order to protect their customer data and sensitive information such as:
- Address both app security and API security;
- Secure the development process and harden apps, but also ensure that run-time protection is also working;
- Protect against man-in-the-middle attacks;
- Frequently perform penetration testing and static and dynamic code analysis.