You will be disappointed if you think your national medical authority’s stamp of approval on a health app means it adequately secures your medical information.
A probe of 71 popular health apps for iPhones and Android devices has found that 80 percent carry at least two mobile security vulnerabilities that could expose private information to attackers.
Security firm Arxan details its analysis in a new report probing the security of the most popular iOS and Android health apps in the US, UK, Germany and Japan.
Among the apps included were 19 health apps approved y the US Food and Drug Administration (FDA) and 15 health apps approved by the UK National Health Service (NHS) before October 2015.
Consumers could expect government-aproved apps would handle their data safely, however the company found that 84 percent of the FDA-approved apps and 80 percent of the NHS-approved apps were exposed to two of the of the top 10 weaknesses in the Open Web Application Security Project (OWASP) mobile risk list.
OWASP has published common web vulnerabilities for several years but, and introduced a mobile top 10 risk list in 2014. The most common mobile vulnerability — found in 97 percent in the health apps analysed — was a lack of “binary protection”, referring to mitigations that prevent attackers from reverse engineering a mobile app’s code and inserting malicious functionality in it.
Additionally, 79 percent of apps offered insufficient “transport layer protection”, which aims to protect data in transit. The third most common risk was “unidentified data leakage”, which refers to when an app’s information is easily accessible by other apps on the device.
Arxan puts the vulnerabilities down to the rush to release new apps, often to retain existing customers.
Health apps aren’t alone in being released with security weaknesses that could easily be avoided. A 2014 study by security firm IOActive of 40 banking apps from the top financial institutions in the world found that 90 percent were insecure, with many of the same vulnerabilities that cropped up in Arxan’s study.
But it seems consumer trust comes cheap when apps are involved. Arxan’s survey of of 1,083 people in the US, UK, Germany and Japan found that 81 percent feel their mobile apps adequately secure. Interestingly, the company also found that IT execs in the survey were more confident in the security of apps than general consumers.
The company highlights that there would be an incentive for developers to build more secure apps — only if consumers actually knew how to judge that. The survey found that 80 percent of consumers would switch to another app if the alternative was more secure.
So how would Arxan level out the asymmetry of information available on the security of apps between consumer and developer?
The company suggests something similar to nutritional labelling on packaged foods be introduced for health apps. Agencies like the NHS and FDA would establish a “good housekeeping” seal of approval and require health app providers to publish an OWASP Mobile Top 10 Risk rating for critical health apps.
“Consumers need to know what risks they are accepting before downloading or “consuming” an app. And the healthcare community, including healthcare providers, medical device manufacturers, and others need to incorporate risk as a fundamental consideration before making app recommendations to patients and app users,” the company said.
In the absence of regulation, consumers could expect to see more security marketing from health apps providers.
Arxan suggests health app developers “market the strength of security you offer to attract and retain patients and health app users”. The obvious problem here there is no shortage of apps that already claim to provide a safe and secure service, yet without probing by third-party security researchers consumers have to take those claims at face value.