Technology experts 'shocked and surprised' at mobile health app security threat

Experts warn of the dangers as research reveals health apps are open to abuse

Technology experts have spoken of their shock and surprise after a new report revealed that the majority of mobile health apps test positive for critical security problems.

Security is not only about keeping the bad guys out, but should also be viewed as a way to attract and retain customers – a vital consideration for any business, but particularly in the healthcare sector where everything revolves around trust

Concerns were raised following the publication of Arxan Technologies’ 5th Annual State of Application Security Report, which analysed the safety of popular apps from around the world as well as the security perspectives of consumers and app security professionals.

And the results have shocked experts, revealing a wide disparity between consumer confidence in the level of security incorporated into mobile health apps and the degree to which organisations address known vulnerabilities.

While the majority of app users and executives believed their apps to be secure, nearly all those Arxan assessed, including regulatory body-approved health apps, proved to be vulnerable to at least two of the top 10 serious security risks.

Speaking to BBH this week, Stephen McCarney, marketing vice president of Arxan Technologies, said: “We were very surprised by how significant the margin between people’s confidence in the safety of apps and the actual reality was.

Without the proper protections already embedded into the app, we are opening ourselves up to a whole host of problems such as data privacy violations, IP theft, and, even worse – possible consumer safety concerns

“This was a particularly-surprising finding based on recent IT security breaches and the media attention surrounding them.

“You expect app makers and suppliers to be confident in the security of their products, but we were surprised by how much customers are putting trust in these organisations and are not aware of the potential vulnerabilities.”

And he added that it was vital that healthcare organisations and app makers took notice of the findings.

“Customers told us they would change providers if they knew the apps they were using were not secure,” he said.

“This tells us that security is not only about keeping the bad guys out, but should also be viewed as a way to attract and retain customers – a vital consideration for any business, but particularly in the healthcare sector where everything revolves around trust.”

The research found that 80% of apps tested that were previously approved by the NHS had at least two of the top 10 risks. Most prevalent among these was a lack of binary protection. That means apps can be reverse-engineered and tampered with by outside parties.

In certain areas some risks are very well addressed, but we need to remember that we are only as strong as our weakest link

McCarney said: “In effect, this means that someone could relatively easily change the app or the parameters. Without the proper protections already embedded into the app, we are opening ourselves up to a whole host of problems such as data privacy violations, IP theft, and, even worse – possible consumer safety concerns.”

Offering advice to customers, healthcare providers, and app designers, he added: “First and foremost we need to level the playing field.

“In certain areas some risks are very well addressed, but we need to remember that we are only as strong as our weakest link. You can be strong in 80% of areas, but the weaknesses in the other 20% negate all that protection.

“For the healthcare app sector in the UK, the lack of binary protection is a good starting point for improvements because there is a major lack of post-production protection.

“One way of addressing this is to input multi-layered guards into the binary of the application at the point just before the app is ready to be released.

For the healthcare app sector in the UK, the lack of binary protection is a good starting point for improvements because there is a major lack of post-production protection

He also called for better collaboration and sharing of information.

“It is very important for health and care providers to collaborate with the commercial sector to understand what the emerging risks are and what they can do about them.

“The healthcare community is increasingly relying on apps to operate medical devices and store and share sensitive health data in mobile health apps.

“We see 2016 as a critical inflection point for app security. There is a footrace between the healthcare community that must do more to maintain privacy and security and hackers who prey on easy, vulnerable access points to steal high-value data.”

Companies