mHealth Security Flaws Pose Risks to Users

Some of the most popular mobile health apps have “critical” security flaws, which can lead to confidentiality issues for patients and medical professionals, as well as safety issues regarding data integrity, according to a new study.

Researchers from the University of Applied Sciences and Arts Dortmund in Germany assessed 53 apps taken from lists of the top 10 downloaded free apps in 3 countries. They found that 40% had pressing vulnerabilities.

mHealth apps have a “heightened need for protection,” the report said. Yet none of the 21 apps that had security issues guaranteed the integrity of user data, 18 apps leaked private data or compromised confidentiality between apps and their servers, 17 apps used unprotected connections, and 2 apps failed to validate certificates. Many apps employed ad providers, which undermine user privacy, according to the study.

The findings surprised Christoph Friedrich, PhD, lead author of the study. “The proper use of transport security should be mainstream today,” he said. “Most users and developers have no feeling for the potential risks and do not care about it.”

The term “transport security” refers to the means by which an app transmits data to a service provider. “As soon as data are sent through public infrastructure, data can potentially be observed, modified, or redirected. Without any protection, this endangers the integrity of data displayed, gives away potentially sensitive data, and enables malicious parties to impersonate the victim,” the report said.

After the study, researchers contacted developers to let them know about the security issues. Only 5 of 21 responded, Friedrich noted. They subsequently corrected the issues.

Some security risks could have “severe implications,” Friedrich said, including identify theft, password hijacking, and the loss of sensitive information.“The attacker can get full access to the smartphone, if the systems are not patched,” he said. “This is especially problematic, as some devices, after a short marketing time, do not get security fixes.”

Friedrich said that his team analyzed 1 app that had a vulnerability that would allow an attacker to send prescription information from the doctor to the pharmacy, enabling the procurement of drugs with manipulated or duplicated prescriptions.

A lack of awareness among both developers and users is a central issue, according to Friedrich. “We should train developers, [and] then the problem will disappear. The users, on the other hand, need to apply the security fixes distributed by the manufacturers in a timely manner,” Friedrich said.

Lackluster law enforcement was another obstacle that Friedrich identified. Despite strict European laws on protection for medical-related data, they are not always applied to mHealth apps. “When there is no demand for proper security implementations, it is economical to avoid them,” Friedrich said. What’s more, in the US, health apps often aren’t regulated like medical software, even though they often contain sensitive information.

Existing user concerns about information security in health apps may impede growth in the sector, Friedrich said. “If users fear misuse of their data, they might shy away from using mHealth apps,” he added. “This is a pity, as mHealth apps can be a very cost-effective instrument to improve healthcare through telemedicine or other applications.”

The report also noted the potential of using mHealth apps on inexpensive smartphones in developing countries to minimize discrepancies in healthcare worldwide.