Mobile healthcare apps expose patient data through API-focused mobile attacks, research shows

Popular mobile health applications are vulnerable to API attacks that permit unauthorized access to full patient records including protected health information (PHI) and personally identifiable information (PII), according to a new study from Approov and cybersecurity researcher Alissa Knight with Knight Media Ink.

“All That We Let In” looks at API vulnerabilities in30 popular mobile health apps tested, and underscores the API shielding actions that organizations should immediately take to protect their mHealth apps from API abuse.

Among key findings

– 77 percent of apps tested contained hardcoded API keys, some which don’t expire, and seven percent contained hardcoded usernames and passwords. Seven percent of the API keys belonged to third-party payment processors that warn against hard-coding their secret keys in plain text.

– 50 percent of the APIs tested did not authenticate requests with tokens.

– API keys and tokens were discovered for Google, Branch.io, Braze, Tune, Optimizely, Cisco Umbrella, Microsoft App Center, Bugsnag, Contentful, Stripe, Amazon AWS, Radaee, Sendbird, AppsFlyer, Facebook, Vonage, SalesForce and Mparticle.

– 50 percent of the records accessed contained names, social security numbers, addresses, birthdates, allergies, medications, and other sensitive data for patients.

– 100 percent of API endpoints tested were vulnerable to broken object level authorization (BOLA) attacks that allowed the researcher to view the PII and PHI for patients that were not assigned to the researcher’s clinician account.

“HealthCare Records are the challenge of this decade,” said YouAttest CEO Garret Grajek. “We need to ensure that the information is available to providers and patients – but have to ensure that ONLY the right parties view the data. This is exactly the NIS concept of PoLP (PR AC-6, “Principle of Least Privilege”).   Easy to say – hard to do.   That is, we have to ensure that apps and data have the right tools/policies/procedures that access is not granted to unwarranted people and processes.

“The Principle of Least Privilege is mandated by both HIPAA and HITRUST standards.   Execution of this is also mandated by access reviews – reviews of what accounts and people have access to applications, servers and data. This is required by the mandates but implementation is up to the parties.”

Knight said, “There will always be vulnerabilities in code so long as humans are writing it. But I didn’t expect to find every app I tested to have hard-coded keys and tokens and all of the APIs to be vulnerable to BOLA vulnerabilities allowing me to access patient reports, X-rays, pathology reports, and full PHI records in their database.”

“Leading developers and their corporate and organizational customers consistently fail to recognize that APIs servicing remote clients such as mobile apps need a new and dedicated security paradigm,” said Approov Founder and CEO David Stewart. “Because so few organizations deploy protections for APIs that ensure only genuine mobile app instances can connect to backend servers, these APIs are an open door for threat actors and present a real nightmare for vulnerable organizations and their patients.”

Recommendations include:

– Address both app security and API security: synthetic traffic to the API is an issue and arises from bots and automated tools, not from genuine apps and legitimate data requests.

– Secure the development process and harden apps, but ensure that run-time protection is also in place (shift left and shield right).

– Protect against person in the middle attacks: certificate pinning is important but is often undone because expired certificates can block apps and impact the customer’s experience.

“While it is a best practice for a mainstream application’s code to move through a thorough secure code review during development, organizations are often haphazard on following the same secure systems development lifecycle (SSDLC) process while developing mobile applications,” said Tom Garrubba with Shared Assessments. “By not applying the same rigorous process, any defective code will lead to vulnerabilities that can be exploited by even the most novice of hackers.”

“The report is telling in how little attention is given to application security for mobile applications,” said Gurucul CEO Saryu Nayyar. “It is disheartening to see how many basic security Best Practices are ignored in the development of mobile applications, and the API’s that allow them to access relevant data.

“Code review and remediation for all of the applications and API’s in question is a monumental, but necessary, task to start, as is a review of the coding practices that led to such weak security in the first place,” she said.

See infographic below