​8 in 10 ‘government approved’ health apps are insecure

You will be disappointed if you think your national medical authority’s stamp of approval on a health app means it adequately secures your medical information.

A probe of 71 popular health apps for iPhones and Android devices has found that 80 percent carry at least two mobile security vulnerabilities that could expose private information to attackers.

Security firm Arxan details its analysis in a new report probing the security of the most popular iOS and Android health apps in the US, UK, Germany and Japan.

Among the apps included were 19 health apps approved y the US Food and Drug Administration (FDA) and 15 health apps approved by the UK National Health Service (NHS) before October 2015.

Consumers could expect government-aproved apps would handle their data safely, however the company found that 84 percent of the FDA-approved apps and 80 percent of the NHS-approved apps were exposed to two of the of the top 10 weaknesses in the Open Web Application Security Project (OWASP) mobile risk list.

OWASP has published common web vulnerabilities for several years but, and introduced a mobile top 10 risk list in 2014. The most common mobile vulnerability — found in 97 percent in the health apps analysed — was a lack of “binary protection”, referring to mitigations that prevent attackers from reverse engineering a mobile app’s code and inserting malicious functionality in it.

Additionally, 79 percent of apps offered insufficient “transport layer protection”, which aims to protect data in transit. The third most common risk was “unidentified data leakage”, which refers to when an app’s information is easily accessible by other apps on the device.

Arxan puts the vulnerabilities down to the rush to release new apps, often to retain existing customers.

Health apps aren’t alone in being released with security weaknesses that could easily be avoided. A 2014 study by security firm IOActive of 40 banking apps from the top financial institutions in the world found that 90 percent were insecure, with many of the same vulnerabilities that cropped up in Arxan’s study.

But it seems consumer trust comes cheap when apps are involved. Arxan’s survey of of 1,083 people in the US, UK, Germany and Japan found that 81 percent feel their mobile apps adequately secure. Interestingly, the company also found that IT execs in the survey were more confident in the security of apps than general consumers.

The company highlights that there would be an incentive for developers to build more secure apps — only if consumers actually knew how to judge that. The survey found that 80 percent of consumers would switch to another app if the alternative was more secure.

So how would Arxan level out the asymmetry of information available on the security of apps between consumer and developer?

The company suggests something similar to nutritional labelling on packaged foods be introduced for health apps. Agencies like the NHS and FDA would establish a “good housekeeping” seal of approval and require health app providers to publish an OWASP Mobile Top 10 Risk rating for critical health apps.

“Consumers need to know what risks they are accepting before downloading or “consuming” an app. And the healthcare community, including healthcare providers, medical device manufacturers, and others need to incorporate risk as a fundamental consideration before making app recommendations to patients and app users,” the company said.

In the absence of regulation, consumers could expect to see more security marketing from health apps providers.

Arxan suggests health app developers “market the strength of security you offer to attract and retain patients and health app users”. The obvious problem here there is no shortage of apps that already claim to provide a safe and secure service, yet without probing by third-party security researchers consumers have to take those claims at face value.

Join the CSO newsletter!

Error: Please check your email address.

Tags government

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts