85% of COVID-19 Tracking Apps Leaky Data
Researchers analyzed 100 publicly available iOS and Android mobile apps for healthcare.
Security researchers at Interstrust analyzed 100 publicly available iOS and Android mobile healthcare apps across a range of categories including telemedicine, medical equipment, healthcare trade and coronavirus infection (COVID-19) infection tracking to identify the most dangerous threats.
All 100 applications were analyzed using a range of Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST), based on the OWASP Mobile Application Security Guidelines.
Cryptographic problems are one of the most common and serious threats - 91% of the analyzed applications failed one or more cryptographic tests. Thus, the encryption used in these medical applications can be easily compromised by cybercriminals, potentially exposing sensitive patient data and allowing attackers to tamper with communicated data, send malicious commands to connected medical devices, or otherwise exploit the application for malicious purposes.
71% of tested medical applications contain at least one dangerous vulnerability. 34% of Android apps and 28% of iOS apps are vulnerable to encryption key extraction.
Most mobile health applications contain many storage security concerns. For example, 60% of Android apps tested store information in SharedPreferences, leaving unencrypted data readable and editable by hackers and malicious applications.
When it comes to contact tracing apps for COVID-19 patients, 85% of programs are leaking.