Open-source projects and DIY communities are tapping into real-time data from medical devices to drive innovation and improve lives - but this same openness creates dangerous gaps. Device manufacturers must urgently address the growing security risks before innovation outpaces safety.
The Rise of Connected Medical Devices – and The Risks
The digital transformation of healthcare is bringing continuous monitoring and real-time interventions to patients’ fingertips. Devices like Continuous Glucose Monitors (CGMs) and automated insulin pumps have become essential for people managing chronic conditions like diabetes. But as these tools grow smarter and more connected—often relying on mobile apps and cloud APIs—they also become more vulnerable to cyber threats.
One look at the grassroots Nightscout project shows both the promise and the peril.
Nightscout emerged to solve a real pain point: the inability for caregivers to remotely monitor a patient's CGM data in real time. Devices like Dexcom or Medtronic’s CGM were originally designed to be used by the patient only—often on a single device, without external visibility. Nightscout aims to solve this by giving users more ability to share data via open-source interfaces and mobile access. This is hugely empowering for parents managing children with Type 1 Diabetes or spouses or partners of adults with diabetes, or even giving access to care teams in schools, workplaces, or sports settings.
However, Nightscout underscores a powerful tension: innovation versus control. While empowering, such DIY efforts often involve reverse-engineered apps or unauthorized API access, which can bypass security protocols and create liability for device manufacturers like Abbott, Dexcom, or Medtronic.
The Nightscout small print even says “There is no password protected privacy or security provided by these tools; all data you upload can be available for anyone on the Internet to read if they have your specific URL to view your data.”
There is a Way to Enable an Ecosystem AND Keep it Secure
This is actually very similar to the Connected Smart Car use-case where car API owners have to be able to allow authenticated app traffic while blocking bad actors. The drive to share data from medical devices and find creative ways to do this will not go away and medical device manufacturers need to create an environment which allows this to happen, while ensuring data access is secure and can be managed. Let's see how that can be done.
Real World Threat Scenarios to the Mobile Device Ecosystem
Using Continuous Glucose Monitors (CGMs) as an example in the mobile device ecosystem, here are two of the major potential attacks which could be used by hackers, and their potential impact:
1. Man-in-the-Middle (MitM) Attacks on CGM Devices
MitM attacks are easy to execute in mobile apps. A MitM attacker intercepting app-device or app-API communication could:
- Falsify glucose readings → triggering inappropriate insulin delivery.
- Hijack apps or display fake alerts → potentially ransoming access.
- Steal PHI (Protected Health Information) → for identity fraud or blackmail.
- Undermine trust in critical medical technology.
Consequences range from medical emergencies like hypoglycemia or ketoacidosis to regulatory fallout and lawsuits.
2. Runtime Tampering with Hooking Frameworks (e.g., Frida, Xposed)
Because hackers have access to the device and the running app, they can easily install tools to modify the way apps work. Advanced attackers may use tools like Frida to:
- Modify real-time glucose values.
- Bypass app protections like SSL pinning and jailbreak checks.
- Extract secrets, tokens, or credentials from memory.
- Emulate fake CGM devices or spoof BLE communication.
This isn’t just hypothetical—closed-loop insulin delivery systems like Control-IQ or MiniMed 780G could be hijacked in real-time, posing a direct threat to patient safety.
Common Security Weaknesses in Medical Device App Ecosystems
Here are some of the key security weaknesses we often see in the medical device ecosystem:
|
Threat Type |
Potential Risk |
|
Static API keys in apps |
Easily extracted and reused by malicious apps |
|
Lack of app attestation |
Backend APIs accept requests from tampered or fake apps |
|
Weak runtime protection |
Unable to detect hooking, emulation, or jailbreaks |
|
No certificate pinning |
Susceptible to MitM interception |
|
API over-permissioning |
Excessive token scope allows full system access |
|
No device trust checks |
Emulators and rooted devices gain access |
Best Practices for Securing the Mobile Medical Stack
The following are non-negotiable elements of a robust security strategy to address the threats to mobile devices and their APIs:
-
App Attestation
-
- Ensure only untampered, official app binaries can access APIs.
- Block access from repackaged or reverse-engineered apps.
-
Runtime Threat Detection
-
- Continuously assess the runtime environment for signs of hooking, root, or emulation.
-
Dynamic Secrets and Token Protection
-
- Avoid storing any API keys or secrets in app code or bundles.
- Use on-demand delivery of secrets only after runtime verification.
-
API Hardening
-
- Enforce short-lived, cryptographically signed tokens for access.
- Require device attestation before granting API access.
-
MitM Mitigation
- Implement dynamic certificate pinning to prevent TLS interception.
- Rotate pins over-the-air without needing app updates.
Deploying these protections in a way that each and every request to a medical device API can be validated is the way that medical device manufacturers can add best-in-class security and control to the ecosystem.
How Approov Protects Connected Medical Ecosystems
Approov provides a zero trust security layer tailored for mobile-connected environments, especially in sensitive domains like digital health. Here's how Approov protects CGM apps and similar medical device integrations:
-
Mobile App Attestation
- Confirms the app is untampered and running on a secure device.
- Delivers short-lived tokens only to trusted apps in verified environments.
-
Secrets Protection
- No secrets are stored in the app.
- API keys or tokens are injected only after runtime attestation succeeds.
-
Detection of Rooting, Hooking, and Emulation
- Blocks known tools like Frida, Xposed, Magisk, Zygisk, and debugger environments.
- Prevents API interaction if threats are detected.
-
Dynamic Certificate Pinning
- Protects app-to-backend communication from MitM attacks.
- Pins are remotely managed, easing DevOps and improving resilience.
-
Enabling Secure Partner Ecosystems
- Ensures only verified apps and partners access APIs (including SMART on FHIR).
- Meets healthcare compliance needs with audit-ready telemetry and dynamic access control.
Final Thoughts: Why Security is Life-Critical in Mobile Health
As apps become the gateway to life-sustaining medical functions, their security is no longer optional—it’s fundamental to safety. Attacks via MitM or instrumentation don’t just breach privacy; they can trigger medical harm.
Innovation in connected care will continue, but must go hand-in-hand with robust runtime security. In this way a vibrant and secure ecosystem can be created.
Approov makes that possible—without compromising usability or speed.
Approov and Mobile Healthcare
Approov ensures that only trusted, untampered apps running in safe environments can access sensitive APIs. This protects patients, preserves IP, and helps manufacturers meet the high bar of HIPAA, GDPR, and evolving medical regulations.
Approov has been very active in driving improvements to cybersecurity in US Healthcare, sponsoring major research on mobile healthcare app vulnerabilities and the risks to FHIR APIs. We also submitted comments to improve the proposed updates to the 2024 HIPAA Security Rule. Read our Healthcare Mobile Security Brief and find more healthcare research here.
Approov are experts on app and API security. We would be happy to set up a call to see if we can help you quickly and effectively improve your healthcare app security.
