Thirty of the most downloaded mobile health apps are highly vulnerable to application programming interface cyberattacks, which could let hackers gain access to patient health records and protected health information, according to a recent Knight Ink and Approov report.
For its report, API cybersecurity company Approov and cybersecurity content company Knight Ink tapped Alissa Knight to analyze the leading mHealth apps over a six-month period to assess cybersecurity vulnerabilities. Ms. Knight is a cybersecurity analyst and partner at Knight Ink. The mHealth app developers agreed to participate in the study as long as the results were not directly attributed to the app vendors.
Seven report insights:
1. For the 30 mHealth apps, the average number of downloads for each was 772,619; the researchers estimate that the mHealth apps expose about 23 million mHealth users at minimum.
2. About 77 percent of the apps analyzed contained hard-coded API keys, some of which don't expire, and 7 percent contained usernames and passwords.
3. Seven percent of the API keys belonged to third-party payment processors, which warned against hard-coding their secret keys in plain text.
4. Half of the tested APIs did not authenticate coding requests with security tokens.
5. The researchers found API keys and tokens, which are used to authenticate with the mHealth companies and third-party APIs, for Google, Microsoft App Center, Amazon AWS, Facebook, Salesforce and more.
6. All the tested API endpoints were vulnerable to broken level authorization attacks, which let unauthorized users access patient records, downloadable lab results, X-ray images, blood work, and information such as Social Security numbers and family member data.
7. Fifty percent of the records accessed through the study contained names, Social Security numbers, addresses, birthdates and other sensitive patient data.