Mobile health apps leak sensitive data through APIs, report finds
Knight Ink recently partnered with mobile security company Approov to hack 30 different mobile health apps to analyze whether they pose a threat to valuable health information belonging to users. Cybersecurity researcher Alissa Knight notes how lucrative health information is to cyberattacks, stating that a single PHI record goes for ten times the price of a set of credit card details on the dark web. Approov and Knight Ink published a report in which the companies concluded that all of the apps were vulnerable to API attacks.
Some of the apps allowed for access to electronic health records. The 30 apps collectively exposed 23 million mobile health users to attacks, according to Knight. Of the tests, 77% contained hardcoded API keys, some of which did not expire, and 7% hardcoded usernames and passwords. The wide range of mobile health apps that face security threats is concerning to user safety and privacy. APIs allow mobile phones access to X-rays, allergy data, pathology reports, and more.