The 5th annual report on the “State of Application Security 2016” that was recently published by Arxan raises an important question: How secure are mobile health control apps? The answer appears to be quite surprising.
What was analyzed during the app security survey?
The research was conducted based on results of cross-compare analysis of 126 mobile applications for health monitoring and management. The listed applications were examined from security perspectives of 238 average application users and 80 executives, totaling 318 participants from Japan, USA, the United Kingdom and Germany.
“Expectation vs Reality” gap is enormous
Primary results on the perception of mobile health apps security showed that around 87% of IT executives feel confident about their app security with 78% equivalent from the users side. Three-quarters of mobile IT professionals believe that “everything is being done to protect” their apps while only half of the average consumers agree with them. And while 48% of mHealth apps executives think that their app is “likely to be hacked” within the next 6 months, more than half (55%) of application users share the same concern.
The majority of popular healthcare applications contain significant security flaws and vulnerabilities: 71 mobile health apps (including those approved by the US Food and Drug Administration (FDA) and other regulatory bodies) from the above mentioned countries were tested at the end of 2015 using Mi3 Security tools.
The “Reality” part of the research showed that 61 out of 71 tested apps (86%) had at least 2 of the Open Web Application Security Project (OWASP) Mobile Top 10 Risks. More surprisingly is that 80% of these health apps were previously approved by FDA or the UK National Health Service (NHS). And they were also found to have at least two of the OWASP Mobile Top 10 Risks.
Two of the most commonly identified vulnerabilities are the lack of binary code protection (97%) and a poor transport layer protection (79%). These particular weaknesses can be used for application reverse-engineering, data theft and privacy violation. Aside of obvious damages in data loss, imagine a health app being hacked to transfer funds from synced accounts or to prescribe a lethal drug dose.
Keeping these numbers in mind, more than 76% of mobile health app users would switch providers if their current app were known to be vulnerable and the competitor's app were more secure. And on top of that, half of the polled organizations have no budget allocated to protecting mobile apps.
What can be done to improve mobile health apps security in 2016?
Since the research was based on the two-sided approach (from application executives and average users perspectives), the following recommendations were provided by researchers:
For mHealth App Executives:
- Work on your weakest links. Handling the two most prevalent risks (lack of binary code and transport layer protection) seems like a good place to start.
- Don’t stop after government approval of your app. FDA and NHS approved apps appear to be as vulnerable as those that require no federal or state approval, so don’t stop improving your security system after app release.
- Keep security component competitive. App protection is a purchasing factor that can play a significant role in gaining new users as well as retaining existing patients.
- Always perform app privacy impact self-assessment, check out this blog post to find out how to do it properly.
For mHealth app users:
- Don’t break the system. Jailbreaking and rooting your device might not be the best idea, if you want to keep your health data private.
- Don’t be an “app-scavenger”. Free apps from unauthorised sources might save you few dollars today and cause a system breakdown tomorrow.
- Ask for the answers. You have every right to demand transparent risk and security policy from your health app developer before you hit the download button.
This year, health app developers will start taking the security risks of their apps seriously. Good news is the investments in their app protection policy will bring great returns with increased app loyalty and patients’ retention rates.
And what's your take on this?
Data source: State of Application Security Report 2016