By Stephen McCarney, VP of marketing at Arxan Technologies
From helping patients track their health and fitness to aiding practitioners in diagnosis and communications, mobile apps have now become a staple of the healthcare world for the access and convenience they provide.
However, with consumers and organisations alike facing an ever-increasing threat from cyber criminals looking to get their hands on patient records – the most valuable kind of data on the black market – security is becoming as important as usability.
Healthcare apps at risk
We tested 126 of the leading healthcare and finance apps around the world in our recent Arxan State of Application Security Report 2016, and found some major security vulnerabilities that, among other things, could leave patient data at risk. The apps varied from fairly innocuous services for tracking fitness regimes, to those containing much more personal information relating to mental illness and sensitive medical conditions.
The mobile apps were tested against one of the most reliable guideposts in the fast moving field of mobile security; the Open Web Application Security Project (OWASP) Mobile Top 10 Risks. OWASP is an online community that creates guidance for mobile app security, and its Top 10 has served as a point of reference for organisations including the PCI DSS standard used to regulate financial services.
The Top 10 list details the most critical application security risks, and all of the healthcare apps we assessed had at least one of the Top 10 risks. Even worse, 80% of the apps we assessed that were on the previous NHS approval list had vulnerabilities in at least two areas.
Targeting the app’s DNA
Altogether, 98% of the apps we tested shared a common weakness; lack of binary code protections. Binary code is the core of an app’s make-up and essentially serves as its DNA. This string of ones and zeroes tells a device how to read and execute an application.
We have found that attackers are increasingly targeting the binary code of applications because it is the key that can open the door to a wide number of malicious activities. Accessing and modifying the binary can change how the app behaves, for example disabling other security controls and bypassing other restrictions. Compromised apps can also be used as a vector for other attacks such as injecting malware.
An app that has been cracked can also be republished for download from official and unofficial app stores. After being downloaded, the malicious app could steal sensitive information, redirect payments, and potentially make an app perform in a way it was not intended. The latter is particularly unnerving for the healthcare community, since mobile phones are being increasingly used as medical devices, and things like implantable medical devices are relying on trusted communications and device operation to do things like deliver doses of medication to patients.
So in some cases, it’s not just the privacy of data that could be at risk, it could also be personal safety. With so many ‘things’ being interconnected, in some cases hackers could leverage weaknesses in application security to gain access to an entire network.
Alongside a lack of binary protection, 78% of the apps we tested also lacked adequate transport layer protection. This governs the transfer of data from one end system to another; essentially whenever the app communicates with something, such as a server or another device.
Without proper protection in place, the app is vulnerable to ‘Man in the Middle’ attacks, where the hacker is able to intercept data by tricking the app into sending them data meant for another entity.
Just as healthy diet and exercise are practiced to ward off physical illness, prevention is the best approach to cyber threats. To achieve this, there are a few best practices that should be incorporated into the security of applications.
Prevention better than cure
Application hardening is a post-production security measure that prevents reverse-engineering and tampering of applications. Multi-layered guards can be baked into the applications before they are released so that security follows the application no matter where it goes. Even better, runtime application self-protection measures could allow for the applications to defend themselves once they are released in today’s lo -control, highly distributed environment.
In addition, many healthcare organisations are keeping as little sensitive data on the mobile device as possible and are keeping that data on backend servers. However, mobile applications communicate through APIs and gain access to backend servers where sensitive information is stored. Hackers know this and are targeting and stealing cryptographic keys in order to gain access through the API to the backend servers.
So another best practice is to beef up API protection by using a sophisticated form of whitebox cryptography. Whitebox cryptography makes it extremely difficult for hackers to locate the cryptographic keys and steal them.
The combination of application hardening and cryptographic key protection can help healthcare organisations reduce the likelihood of application reverse-engineering, tampering, and malware risks that can lead to critical privacy, security, and safety issues.
Raise the bar before you raise the roof
It’s worth noting that all of the UK-based healthcare apps we tested were previously included in the NHS’s approved apps portal. Even with the greatest of intentions, such bodies tend to be slow moving, making it hard for them to catch up to faster-moving technology and innovative cyber criminals. Even though an app may be approved by a governing body, it is still shown to be as vulnerable as an unapproved app.
The OWASP Mobile Top 10 Risks serve as a good starting point for any executive, developer or organisation looking to get ahead of the curve and identify the most common threats their healthcare app is likely to face. Setting security prevention as a core priority is the best way to ensure your app gets a clean bill of health.
Arxan offers solutions for software running on mobile devices, desktops, servers, and embedded platforms – including those connected as part of the IOT, and is currently protecting applications running on more than 500 million devices across a range of industries.