The vast majority of Android and iOS healthcare apps contain at least one serious vulnerability, exposing their users to data theft and privacy issues, according to Intertrust.
To compile its Security report on global mHealth apps 2020, the connected security vendor recently analyzed 100 applications, 50 on each platform. They covered four key areas of the healthcare sector: telemedicine/patient engagement; health commerce; medical device apps; and COVID tracking.
Intertrust found that every single app tested had at least one basic security issue and 71% contained at least one high-level security flaw.
Using OWASP-aligned static and dynamic analysis techniques, the Intertrust team found that every Android app it analyzed and 72% of iOS apps contained four or more vulnerabilities.
More specifically, 91% of medical apps had mishandled and/or weak encryption, putting them at risk of exposing IP and patient data. A third of 34% of Android apps and 28% of iOS apps were vulnerable to encryption key extraction, and 85% of COVID apps leaked data.
By category, health commerce apps contained the largest number of vulnerabilities (80% had over seven) while telemedicine apps had most high-risk vulnerabilities (80%).
Some 60% of tested Android apps stored information in SharedPreferences, leaving unencrypted data open to reading and editing by attackers and malicious apps. Over 80% of high-level vulnerabilities could have been mitigated by measures such as code obfuscation, tampering detection, and white-box cryptography, Intertrust said.
The findings are concerning considering healthcare is one of the most popular targets for cyber-criminals today, and the fact that online services are becoming increasingly highly subscribed due to the pandemic.
Unfortunately, two-in-five healthcare organizations prioritizes time-to-market over application security concerns, according to Verizon.
“While mobile devices and OSes have some built-in safeguards, they are generally not sufficient to prevent hackers from finding and exploiting vulnerabilities and security flaws in mobile healthcare apps,” wrote Intertrust.
“Once in, cyber-criminals can steal patient and payment data, lift proprietary algorithms and other IP, locate and extract cryptographic keys, inject malicious code into apps, and even find their way into critical backend systems.”