Cybersecurity Report Finds 30 Popular Mobile Health Apps are Vulnerable to API Attack

By Scott Mace

Each of 30 popular mobile health applications are vulnerable to attacks via their application program interfaces (APIs), according to findings released last week by a security hacker and author, working with a threat protection technology company.

The study, All That We Let In, raises concerns that increasing reliance on mobile health apps during the pandemic is drawing threat actors to mobile health applications as their preferred attack surface.

The attacks described can permit unauthorized access to full patient records, including protected health information (PHI) and personally identifiable information.

“There will always be vulnerabilities in code so long as humans are writing it,” said Alissa Knight, researcher and author of the report. “Humans are fallible. But I didn’t expect…all of the APIs to be vulnerable to broken object level authorization vulnerabilities, allowing me to access patient reports, x-rays, pathology repots, and full PHI records in their database. The problem is clearly systemic.”

The study examined 30 popular mobile health apps. Each app has been downloaded an average of 772,619 times, and Knight estimates that the 30 apps examined expose at least 23 million mobile health users.

Of the 30 popular apps Knight tested, 77% contained hardcoded API keys, some of which do not expire, and 7% contained hardcoded usernames and passwords. The study found that 7% of the API keys belonged to third-party payment processors that warn against hardcoding their secret keys in plain text.

The total number of users exposed by the 318,000 mobile health apps now available on major app stores is likely far greater, according to Knight.

Mobile health platform developers, and all those using these applications, should recognize that synthetic traffic to mobile APIs is an issue, secure the development process, and protect against so-called “machine in the middle attacks” via certificate pinning, the report recommends.

Half of the records accessed by such attacks contained names, social security numbers, addresses, birthdates, allergies, medications, and other sensitive data for patients, the report stated.

The publisher of the report is Approov, which provides a multi-factor, end-to-end mobile API security solution that complements identity management, endpoint, and device protection to lock down proper API usage.

Scott Mace is a contributing writer for HealthLeaders.