"Mobile Health Apps Found to Expose Records of Millions of Users"
The mobile Application Programming Interface (API) security company Approov released a report, revealing discoveries from the analysis of 30 popular mobile health (mHealth) applications conducted by Alissa Knight, a partner at the marketing agency Knight Ink. The analysis found that these applications are vulnerable to API attacks. These attacks could allow unauthorized parties to access Protected Health Information (PHI) and Personally Identifiable Information (PII). There has been an increase in the reliance on mHealth apps during the COVID-19 pandemic, resulting in the generation of more user activities by health apps than other types of mobile apps. According to the research study, certificate pinning was not implemented for any of the analyzed applications, leaving them open to man-in-the-middle (MITM) attacks. More than 70 percent of the analyzed apps contained hardcoded API keys, tokens, and credentials. Half of the APIs did not use token authentication for requests, while one-quarter of the apps were not protected against reverse engineering. Knight found 114 hardcoded API keys and tokens for Google, Microsoft App Center, Cisco Umbrella, Facebook, AWS, Stripe, and more. Half of the records exposed by these applications contained sensitive information, including names, addresses, dates of birth, Social Security numbers, allergies, and medication data, belonging to millions of users. Approov's report provides recommendations for mobile app developers on how to protect customer data and sensitive resources, such as performing penetration testing. This article continues to discuss the discovery of vulnerabilities in mHealth applications and the exposure of patient information by these apps.
Security Week reports "Mobile Health Apps Found to Expose Records of Millions of Users"