How Health Apps Leave Their API Keys Vulnerable To Attacks And How To Protect Them
A recent research shows that mobile health apps are vulnerable to API attacks, which could result in unauthorized access to full patient records.
It was the company Approov who teamed up with leading cybersecurity analyst, Alissa Knight, to hack and analyze 30 mobile health apps to highlight vulnerabilities and the risk the lack of proper API security pose to the targeted apps and patients’ sensitive health information. The research underscores the importance of protecting your API keys and the actions developers need to take to protect their mobile health apps.
Results from the research shows that one hundred percent of the apps analyzed are vulnerable to API attacks that can give unauthorized access to patient records. This includes protected health information (PHI) and personally identifiable information (PII).
Knight was able to view patient records, and found that 50% of the records accessed contained sensitive information such as names, social security numbers, addresses, and information about allergies and medications.
The Consequences of Poor API Key Protection
While all the 30 apps tested were found to be vulnerable to API attacks, the research also found that out of all apps:
- 77% contained hardcoded API keys, some of which don’t expire, and
- 7% even hardcoded usernames and passwords
According to Gartner, hardcoding API keys or other credentials in web and mobile applications is one of the four most common API Vulnerability paths, and the method makes app secrets subject to decompiling attacks. Gartner also predicts that by 2022, API attacks will be the most frequent attack vector for application breaches.
API keys are valuable information that need to be kept safe. Hardcoding app secrets such as this directly into the source code and relying on obfuscation methods for security is a common strategy for many app developers. However, this is not enough to properly protect your secrets, and hackers can easily retrieve them by simply reverse-engineering the app.
If an attacker gets access to API keys, they can extract them and use them to build new software that impersonates the real app to make arbitrary API calls, or otherwise access your backend infrastructure to communicate with and scrape sensitive information, such as a patient’s health information, from your servers.
The consequences can be damaging for both the app user and the app provider, and an attack can result in serious data breaches, GDPR fines, and a damaged brand reputation for the targeted company.
How SAROM can help secure your API keys, certificates and other fixed app secrets
As this research shows, protecting fixed app secrets, such as API keys, is important for the security and integrity of your mobile health app.
Our newest feature, Secure Application ROM (SAROM), offers a unique solution to the difficult challenge of protecting fixed secrets inside your app, such as certificates and API keys, which are necessary for the security of an health app but are difficult to safeguard.
SAROM encrypts data in a secure manner to protect secrets from theft. Assets are automatically encrypted during Shielding and only decrypted at application runtime when needed by the application code.
The encrypted assets are never statically accessible but dynamically generated, which dramatically decreases the attack scope and makes it very difficult for attackers to find and retrieve the encrypted secrets, such as your API keys.