Application security, Threat Management

mHealth Apps Expose Millions to Cyberattacks

Approov reports that 77% of 30 popular mobile health apps for clinicians have hardcoded application programming interface keys, making them vulnerable to interception by attackers, according to Threatpost. With each tested app having an average 772,619 downloads, the vulnerabilities leave around 23 million mHealth users at risk for API attacks that could leak sensitive information, researchers said. The report further notes that another 7% of apps contained hardcoded usernames and passwords, 27% lacked code-obfuscation protections against reverse engineering, none featured certificated pinning which safeguards against man-in-the-middle attacks and half of the APIS failed to authenticate requests using tokens. All API endpoints that were tested also proved vulnerable to Broken Object Level Authorization attacks, which left users’ personal health information and personally identifiable information accessible to hackers despite not being assigned to the breached clinician’s account. Threat actors have long been drawn to lucrative opportunities in the health care sector, with medical records fetching around $1,000 each in cybercriminal markets combined with the lack of security among innovation-focused mobile health app developers, researchers said.
Jill Aitoro

Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.