Mobile Health Apps Found to Expose Records of Millions of Users
A recent analysis of 30 popular mobile health applications has concluded that many expose the full patient records to millions of people due to API vulnerabilities. The research was conducted by Alissa Night with Knight Ink, on behalf of mobile API protection firm Approov. The applications were still vulnerable to API attacks that unauthorized third parties could exploit to access full patient information and sensitive personal information.
Mobile health apps were increasingly used during the Covid-19 pandemic as a replacement for in-office visits. Researchers found that these apps are generating more user activities, making them an attractive target to hackers. The average downloads of the 30 apps investigated by Knight totaled 772,000. The apps had an estimated user base of 23 million. All of the applications analyzed by Knight lacked certificate pinning, therefore opening them up to man-in-the-middle attacks. Only 77% contained hardcoded API keys and tokens.