Approov reports that 77% of 30 popular mobile health apps for clinicians have hardcoded application programming interface keys, making them vulnerable to interception by attackers, according to Threatpost
. With each tested app having an average 772,619 downloads, the vulnerabilities leave around 23 million mHealth users at risk for API attacks that could leak sensitive information, researchers said. The report further notes that another 7% of apps contained hardcoded usernames and passwords, 27% lacked code-obfuscation protections against reverse engineering, none featured certificated pinning which safeguards against man-in-the-middle attacks and half of the APIS failed to authenticate requests using tokens. All API endpoints that were tested also proved vulnerable to Broken Object Level Authorization attacks, which left users’ personal health information and personally identifiable information accessible to hackers despite not being assigned to the breached clinician’s account. Threat actors have long been drawn to lucrative opportunities in the health care sector, with medical records fetching around $1,000 each in cybercriminal markets combined with the lack of security among innovation-focused mobile health app developers, researchers said.