Researcher testing of 30 mobile health apps for clinicians found that all of them had vulnerable APIs.
Some 23 million mobile health (mHealth) application users are exposed to application programming interface (API) attacks that could expose sensitive information, according to researchers.
Generally speaking, APIs are an intermediary between applications that defines how they can talk to one another and allowing them to swap information. Researcher Alissa Knight with Approov tried to break into the APIs of 30 different mHealth app vendors, with the agreement she wouldn’t ID the vulnerable ones. Turns out, they were all vulnerable to one degree or another.
The average number of downloads for each app tested was 772,619.
According to the resulting report from Approov, out of 30 popular mHealth apps analyzed, 77 percent of them contained hardcoded API keys, which would allow an attacker to intercept that exchange of information — some of which don’t expire. Seven percent of these belonged to third-party payment processors that explicitly warn against hard-coding their secret keys in plain text.
Another 7 percent contained hardcoded usernames and passwords.
But that’s not all: More than a quarter (27 percent) of mobile apps tested didn’t have code-obfuscation protections against reverse engineering; and all of them without exception lacked certificate pinning, which prevents man (or woman) in the middle (MITM) attacks, for intercepting communications to observe and manipulate records.
Also, a full 50 percent of the APIs tested did not authenticate requests with tokens.
And finally, if one patient’s records can be accessed, often many others can be accessed indiscriminately: 100 percent of API endpoints tested were vulnerable to Broken Object Level Authorization (BOLA) attacks, which allowed the researcher to view the personal health information (PHI) and personally identifiable information (PII) for patients that were not assigned to the researcher’s clinician account.
For context, the report said there are more than 318,000 apps available in major app stores.
Read more at: threatpost.com