How API attacks are hamstringing mobile healthcare apps
- Reports find that mobile health apps leak sensitive data through APIs
- By 2022, API attacks will no longer be infrequent but will become the most frequent attack vector for application breaches
The Covid-19 pandemic has accelerated the use of mobile healthcare apps and virtual care. Due to that, the personal health data of millions of individuals is being exposed through the Application Programming Interfaces (APIs) used by mobile health (mHealth) applications, according to a recent study published by Knight Ink and cybersecurity firm Approov.
Several widely-used mobile health apps have basic security flaws that could leave them vulnerable to attacks, whereby the processing, transmitting, and storing of a lot of vital and presently valuable information – protected health information (PHI) – are being sold on the dark web. Knight partnered with mobile security company Approov to hack 30 mobile health apps to highlight the threats they face through APIs.
The findings were published in a recent report, “All That We Let In”, and it was discovered that all of the apps are vulnerable to API attacks, and some allowed access to electronic health records (EHRs). The 30 apps collectively expose 23 million mobile health users to attacks, Knight reported. Of the 30 apps tests: 77% contained hardcoded API keys, of which some do not expire according to the report, and 7% had hardcoded usernames and passwords.
Approov CEO and founder, David Stewart, explained that APIs are the communication channels between a mobile app and a cloud service, physical server, or hospital infrastructure. The threat to APIs is concerning as Gartner predicts that by 2022, API attacks will no longer be infrequent but will become the most frequent attack vector for application breaches. In healthcare, APIs will allow mobile phones to access patient X-rays, pathology reports, and allergy data, among other things.
“There are plenty of mobile healthcare apps that may not be directly accessing the patient’s medical records, but they’re still accessing extremely sensitive information – like which prescriptions they take regularly for which drugs,” Stewart said. Other apps that could face threats include apps for mental health services, he added. Knight even hacked into the system of one hospital and changed the values of an EHR by one digit, and then was able to access the health records of the patient’s family members plus other patient information captured at the hospital’s registration desk. Knight used a hacking tool that looks like it is generating data from a mobile health app.
“The traffic looks exactly the same as traffic that’s coming from the actual mobile app, and that gives the hackers so much more flexibility about the things that they can do,” Stewart explained. To top it off, Knight found that 100% of API endpoints were susceptible to Broken Object Level Authorization (BOLA) attacks. The OWASP Foundation, which organizes community-led open-source projects, listed BOLA as the top security risk for APIs. BOLA attacks enabled Knight to view personal identification and health information that was not authorized in the clinician account the researcher used.
In addition, medical professionals were able to access pathology, X-rays, and the results of other patients in 50% of the mobile APIs tested. Given how APIs provide access to the most coveted health data, analysts find it urgent to secure these APIs.
How to protect mobile health data from API attacks
The Approov report suggested certificate pinning as a strategy to protect APIs, to prevent expired security certificates from blocking access to critical health data. The authors also reckon that software developers and healthcare organizations should monitor the controls they implement for apps and adjust them for compliance with laws such as the Health Insurance Portability and Accountability Act.
Knight recognizes the value of healthcare innovation despite the threats to mobile app security and to continue innovation while protecting sensitive data, it suggests organizations should implement security in the code from the start when designing mobile health apps. “We just need to be doing a better job at securing [apps] before they go into production before we launch them and make them available to the general public because this is our most sensitive data,” Knight said.