mHealth apps consistently expose PII and PHI through APIs

2021-02-12 05:00

The Knight Ink vulnerability research study details findings, and also notes that the results are particularly worrisome given the increased reliance on mHealth apps during the global pandemic, which in turn is drawing threat actors to mHealth apps as an attack surface of choice.

"Observers with Pew Research noted that mHealth apps are now generating more user activities than other mobile device apps such as online banking and job searching. Observers also note that patient IDs and PHI are more lucrative in dark web markets than credit card data."

The average number of downloads for each app tested was 772,619, and it's estimated that the 30 apps evaluated expose some 23 million mHealth users, at a minimum.

The findings demonstrate that the security standards required for compliance with U.S. government FHIR/SMART standards merely represent a subset of the steps needed to secure mobile apps and the APIs which enable apps to retrieve data and interoperate with data resources and other applications.

The fact is that leading developers and their corporate and organizational customers consistently fail to recognize that APIs servicing remote clients such as mobile apps need a new and dedicated security paradigm.

"Because so few organizations deploy protections for APIs that ensure only genuine mobile app instances can connect to backend servers, these APIs are an open door for threat actors and present a real nightmare for vulnerable organizations and their patients."

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/2aN-NHW2BRQ/

#API #PII