Researchers discovered that millions of patient records have been revealed by 30 popular mobile health (mHealth) applications. With people increasingly relying on mHealth apps during the COVID-19 pandemic, researchers observed that such apps are now generating more user activities compared to other mobile apps. Research suggests that the majority of these health applications are highly vulnerable to API attacks that unauthorized parties could leverage to access protected health information (PHI) and personally identifiable information (PII).
Analysis shows that these popular health apps have been downloaded by 772,000 people with an estimated user base of roughly 23 million approximately. According to researchers, the number of affected users, however, is likely much higher, considering the fact that there are over 300,000 mHealth apps available at the moment on major app stores.
To ensure the protection of customer records and sensitive information of patients, security experts have provided recommendations for mobile app developers to adopt a series of steps such as ensuring the security of both the app and APIs, secure the development process and harden apps, implement certificate pinning to protect against MitM attacks, monitor implemented controls, perform penetration testing etc.