Exposing Vulnerabilities in mHealth Apps and APIs

Exposing vulnerabilities in mHealth apps and APIs

Eight and a half minutes can seem like an excruciatingly long time, say if you're amateur freediving or late for a job interview. However, the same time period can seem alarmingly brief if that’s all it takes to download a company’s app from a public app store, reverse engineer it and gain access to back-end systems.

And yet, the latter scenario was exactly what cybersecurity analyst and ethical hacker Alissa Knight was able to demonstrate in 2019, documenting her findings in a report titled ‘In plain sight: The vulnerability epidemic in financial services mobile apps.’ Using a rather simple MO — download publicly available financial services apps and use readily available tools to probe for vulnerabilities — Knight demonstrated “a systemic lack of application appropriate protection” in mobile apps from some of the largest financial institutions in the US and Europe.

At Approov, we’re now sponsoring research by Knight as she applies her incisive and insightful approach to vulnerabilities in mHealth apps and APIs.

In July this year, we had addressed the issue of security in mHealth in an earlier article. Today, mHealth apps are being used across the healthcare value chain with patient usage projected to grow at a 10-year CAGR of 40%. The current pandemic has served to highlight and heighten the security challenges of healthcare apps. The current state of mobile security in the industry, however, is not so reassuring - with expediency, convenience, and “getting the job done” taking precedence over even basic mobile security principles. Ergo all this, without adequate attention to mHealth security, mobile healthcare will remain more risk than opportunity.

This is the status quo that our research partnership with Alissa Knight seeks to address. And that has to begin with a broad level understanding of the state of healthcare app security today.

Knight-testing mHealth Apps and APIs

A 2020 Security Report on Global mHealth Apps that tested 100 mobile telehealth, COVID-tracking, health commerce, and medical device apps came to this unnerving conclusion that over 70% of publicly available mHealth apps have at least one high-level security vulnerability. This is followed by a litany of issues including mishandled/weak encryption (91%), data leakage (85%), and unencrypted data storage (60%). More importantly, the study found that up to 83% of the high-level security vulnerabilities could have been addressed through prevalent application protection practices like code obfuscation, tampering detection, and white-box cryptography.

However, fixing issues in the app security only addresses one half, or less, of the attack space. Securing the app is good, but securing the APIs that service them is better. For bad actors, setting up scripts to impersonate mobile app traffic and using them against the APIs is a lot less work than reverse engineering apps. Hence this remains the most popular attack vector against mobile channels.

With the status still firmly stuck in the quo, the stage’s set for the difficult question: what if a hacker hacked 30 telemedicine apps and APIs? And that’s the mandate that Knight’s currently in the process of realizing.

Over the past few weeks Knight has been assembling the components required to execute the first-ever vulnerability research campaign focused on mHealth apps and APIs. The objective of the research is to focus attention on protected health information (PHI), not only the most critical of personal information there ever will be but also the highest valued data on the black market. The research process will culminate with the release of the most comprehensive inventory of healthcare app vulnerabilities ever and conceivably help raise the security standards around the industry’s approach to architecting, building, and maintaining mHealth technologies.

This research into mHealth apps and APIs also goes a few steps further than Knight’s 2019 shake-up of fintech mobility’s passive approach to security. While earlier the process terminated with the extraction of hardcoded API keys, tokens, and credentials, this year’s research has also garnered the participation of several mHealth companies who will open their APIs to be tested.

The Opening Salvo

The research kicked off with the network interdiction stage, exploiting authentication and authorization vulnerabilities in established sessions between mHealth apps and their API endpoints. Using static code analysis, mobile apps are reversed back to their source code in order to perform manual queries and “find patterns that match API keys, tokens, and other secrets, such as credentials or private certificates.”

According to Knight, most of the exploits during this stage focus on Broken Object Level Authorization (BOLA) vulnerabilities and involve sending API requests for access to objects that should not be available. Though this is a common and critical vulnerability, according to the OWASP API Security Project, it is not one without a solution and there are also several controls that can be implemented to thwart these kinds of exploits. For instance, a decision engine implemented into the code can determine if a request has the authorization to view the resource that is being requested. Another higher-level approach is to ensure that only untampered apps are allowed to interact with the APIs.

Today, there are robust API protection solutions designed specifically to secure mobile businesses against different types of techniques to gain unauthorized access to backend services, data, and assets. The best solutions even go a step further and provide valuable insights into the type and state of devices using the API to communicate with protected services, the share of API requests coming from potentially malicious sources such as bots, scripts, etc., and even identify requests from rooted/jailbroken mobile devices and repackaged apps.  

These, then, are some of the more significant takeaways from this preliminary stage of the research. For the more technically inclined, Knight helpfully provides a deep dive into the requisite tools, processes, and setups as part of her research chronicles at All That We Let In: Hacking Mobile Health APIs where she will continue to record her comments, techniques and insights as the research progresses.

A significant majority of physicians, residents, and students believe that personalized medicine and telemedicine can transform healthcare in the near-term, according to a 2020 study from Stanford Medicine. However, the study also identified a Transformation Gap in the healthcare industry wherein the higher the potential patient benefits of any innovation, the less prepared the medical community seemed to be.

In our mHealth article cited earlier, we wrote about the healthcare industry’s transformation gap, wherein the higher the perceived transformative potential of new technologies the lower the stated level of readiness among healthcare practitioners. If the current pandemic has demonstrated one thing, it is the value of telehealth and mHealth technologies and applications. We hope this research goes at least a little way in enabling the industry to understand the principles, techniques and processes that will secure mHealth and accelerate its adoption.

Try Approov For Free!