A new report shows 84 percent of U.S. FDA-approved health apps tested by IT security vendor Arxan Technologies did not adequately address at least two of the Open Web Application Security Project top 10 risks.
Most health apps are susceptible to code tampering and reverse-engineering, two of the most common hacking techniques, the report found. Ninety-five percent of the FDA-approved apps lack binary protection and have insufficient transport layer protection, leaving them open to hacks that could result in privacy violations, theft of personal health information, as well as device tampering and patient safety issues.
The new research from Arxan, which this year placed special emphasis on mobile health apps, was based on analysis of 126 popular health and finance apps from the United States. United Kingdom, Germany and Japan.
There is a disparity between consumer confidence and the attention given to security by app developers, the study found. While the majority of app users and app executives said they believe their apps are secure, nearly all apps Arxan assessed proved to be vulnerable
The situation isn’t much better across the pond, either, where 80 percent of the mobile health apps approved by the U.K. National Health Service and tested by Arxan did not adequately address at least two of the OWASP mobile top 10 risks, according to the 5th Annual Arxan State of Application Security Report. The OWSAP is an online community dedicated to web and mobile application security.
“Given the highly distributed mobile environment, healthcare CIOs and provider organizations with mobile apps should bake application self-protection security measures into their apps before releasing them ‘into the wild,’” said Patrick Kehoe, chief marketing officer at Arxan Technologies. “Hardening mobile health apps with application self-protection allows the app to be protected against advanced threats no matter where it goes. In addition to app hardening, beefing up protection of the application programming interfaces, or APIs, that communicate between the mobile apps and back-end servers that contain high-value, high-target health information is becoming essential.”
Many CIOs and healthcare security executives do a good job of minimizing data exposure on mobile devices by keeping sensitive data stored on back-end servers, but hackers know this, and APIs with standard security that does not hide cryptographic keys within applications and in memory can be overtaken and used as a path into the valuable and sensitive data on back-end servers, Kehoe added.