Analysis of 30 popular mobile health apps has shown that they provide access to the medical history of millions of people.
Research led by Alissa Knight, a partner at marketing agency Knight Ink, on behalf of Approov mobile API security company, found that mobile health applications are vulnerable to API attacks. In these attacks, an unauthorized attacker can gain access to protected medical information and personal data of the victim.
The study analyzed 30 popular mobile health applications with an average number of downloads of about 772 thousand.None of the analyzed applications implemented certificate pinning, exposing users to the threats of MitM attacks, and 77% of them contained embedded API keys, tokens and credentials. Half of the API did not authenticate requests with tokens, and a quarter of applications (27%) were not protected from reverse engineering.
Half of the records provided by mobile health apps contained names, addresses, dates of birth, social security numbers, allergy, drug, and other sensitive user information.
According to the expert, all tested API endpoints were vulnerable to BOLA attacks (broken object level authorization), which provide access to confidential medical data even patients who are not tied to a doctor's account. Half of the APIs tested provided access to pathology information, X-rays, and clinical results from other patients.