Dozens of mobile health apps found vulnerable to security risks

David bisson
David Bisson
@

Mobile health app security
Researchers have found that dozens of mobile health apps are vulnerable to at least two of the top ten mobile risks identified by the Open Web Application Security Project (OWASP) project.

In its 5th Annual State of Application Security Report, application protection provider Arxan contrasts user perception with the reality of mobile app security.

On the one hand, after surveying some 1,083 individuals (815 users and 268 IT decision makers) located in the United States, the United Kingdom, Germany, and Japan, Arxan found that a majority of respondents are optimistic about the security of the mobile health apps they use.

87% of executives and 78% of users felt that their applications were adequately secure, for example, with 75% of the IT decision makers confident that everything was being done to protect the apps. Only a half of users felt the same way.

Sign up to our free newsletter.
Security news, advice, and tips.

In actuality, however, the respondents’ optimism was severely misplaced says the report:

“When put to the test, the majority of mobile health apps failed security tests and could easily be hacked.”

Of the 71 popular mobile health apps that were tested for security vulnerabilities, nearly all of them (86%) were found to contain at least two OWASP Mobile Top 10 Risks.

Specifically, a lack of binary protection (96%) and insufficient transport layer protection (79%) registered as the most common risks among the apps surveyed. Both of those vulnerabilities can result in reverse engineering, data theft, privacy violations, and the tampering of application code.

OWASP mobile risks

Included in the survey set were several FDA- and NHS-approved mobile apps, of which 84% and 80%, respectively, were found to have not addressed the two OWASP Top 10 Risks discussed above.

What’s even more troubling is the fact that many organizations do not have the resources to manage those risks. According to Arxan, half of all organizations do not have any available budget for mobile security. This means that the vulnerable apps, which Arxan did not identify by name, could continue to jeopardize users’ privacy and information well into the future.

Mobile security survey

Such a lack of security focus will likely come back to bite organizations in the future, according to Patrick Kehoe, CMO of Arxan Technologies:

“Mobile apps are often used by organizations to help keep customers ‘sticky,’ yet in the rush to bring new apps to market, organizations tend to overlook critical security measures that are proving crucial to consumer loyalty. Our research in Arxan’s 2016 State of App Security Report demonstrates that mobile app security is an important element in customer retention. Baking in robust mobile app security is not only a smart technology investment to keep the bad guys out, but also a smart business investment to help organizations differentiate from the competition and to achieve customer loyalty based on trust.”

Executives can help protect against the risks identified in Arxan’s report by strengthening the weakest links within an organization. As for users, they should pressure application providers to focus on security. For those that don’t, users should neither pay for nor download those providers’ apps.

For more information, check out Arxan’s report in full.

Arxan’s findings appear to backup the findings of independent testing authority AV-Test.org, which last year took a close look at wearable fitness trackers and found some were exhibiting poor security and leaking data.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.