Architecture, Application Security, Strategy, Threat intelligence

mHealth Apps Expose Millions to Cyberattacks

February 12, 2021
Approov reports that 77% of 30 popular mobile health apps for clinicians have hardcoded application programming interface keys, making them vulnerable to interception by attackers, according to Threatpost. With each tested app having an average 772,619 downloads, the vulnerabilities leave around 23 million mHealth users at risk for API attacks that could leak sensitive information, researchers said. The report further notes that another 7% of apps contained hardcoded usernames and passwords, 27% lacked code-obfuscation protections against reverse engineering, none featured certificated pinning which safeguards against man-in-the-middle attacks and half of the APIS failed to authenticate requests using tokens. All API endpoints that were tested also proved vulnerable to Broken Object Level Authorization attacks, which left users’ personal health information and personally identifiable information accessible to hackers despite not being assigned to the breached clinician’s account. Threat actors have long been drawn to lucrative opportunities in the health care sector, with medical records fetching around $1,000 each in cybercriminal markets combined with the lack of security among innovation-focused mobile health app developers, researchers said.
Jill Aitoro

SC Media Editor in Chief Jill Aitoro has 20 years of experience editing and reporting on technology, business and policy. She also serves as editorial director at SC Media’s parent company, CyberRisk Alliance. Prior to joining CRA, she worked at Sightline Media as editor of Defense News and executive editor of the Business-to-Government Group. She previously worked at Washington Business Journal and Nextgov, covering federal technology, contracting and policy, as well as CMP Media’s VARBusiness and CRN and Penton Media’s iSeries News.

prestitial ad