All That We Let In: Hacking 30 Mobile Health Apps and APIs

Alissa Knight tested 30 mobile healthcare apps, and every one displayed API vulnerabilities that exposed personal healthcare data. Learn in detail how they were hacked and what you can do to prevent it from happening to your mHealth apps.

Key Points

• Thirty mobile health (mHealth) apps and APIs were examined with the cooperation of various companies, who requested anonymity for their involvement.
• Alarming findings included the presence of hardcoded API keys in 77% of the tested apps, with some keys not expiring, and 7% containing hardcoded usernames and passwords. 7% of the API keys belonged to third-party payment processors that warn about hard-coding their secret keys in plain text.
• All API endpoints tested were susceptible to Broken Object Level Authorization (BOLA) attacks, potentially leading to unauthorized access to comprehensive patient records, including lab results, x-ray images, medical data, and personally identifiable information (PII).
• The research advocates a combination of shift-left security and shield-right measures to prevent unauthorized access to APIs and mitigate security risks.
• APIs act as intermediaries between applications, defining how they communicate and reducing their dependence on the underlying infrastructure.
• The research involved several large companies, each with annual revenues ranging from $600 million to $8 billion, employing an average of 15,000 people. The average number of downloads for the tested apps was 772,619. Each app combined capabilities of allowing clinicians to review their schedule, patient lists, and patient charts.
• The findings reveal that meeting the security standards for US government FHIR/SMART compliance is only a partial solution, as securing mobile apps and the APIs that facilitate data retrieval and interoperation necessitates more comprehensive measures.

Key Findings

Alissa Knight found that in every API they tested, they were able to exploit BOLA vulnerabilities to gain unauthorized access, insert data, or take control of devices or automobiles. The research results were obtained through two weeks of API testing and six months of static code analysis. The report highlights a shocking number of hardcoded keys and tokens in mHealth apps, not only in the mHealth company's APIs but also in third-party payment processors, and stresses that basic cybersecurity practices like avoiding hardcoded usernames and passwords in source code and properly authorizing requests are lacking in the mHealth sector.

mHealth companies need to adopt a more robust zero-trust approach to secure their apps and APIs. There was a clear lack of static code analysis and penetration testing that would have mitigated many of the vulnerabilities uncovered during this research.

Shift-left security and practicing good cybersecurity hygiene are just one of the hardening steps that should be taken to secure your APIs. 

Implementing Approov Mobile Security could have prevented the attacks observed during this research. Approov's effectiveness stems from its ability to distinguish between synthetic and human traffic, shield APIs from tracing and reverse engineering, implement dynamic pinning for enhanced security, and restrict API calls exclusively to genuine applications. If all the companies had integrated Approov, these attacks would have been completely unfeasible.