The rise of API vulnerabilities in mobile healthcare apps (Photo by JOAQUIN SARMIENTO / AFP)

• Reports find that mobile health apps leak sensitive data through APIs
• By 2022, API attacks will no longer be infrequent but will become the most frequent attack vector for application breaches

The Covid-19 pandemic has accelerated the use of mobile healthcare apps and virtual care. Due to that, the personal health data of millions of individuals is being exposed through the Application Programming Interfaces (APIs) used by mobile health (mHealth) applications, according to a recent study published by Knight Ink and cybersecurity firm Approov. 

Several widely-used mobile health apps have basic security flaws that could leave them vulnerable to attacks, whereby the processing, transmitting, and storing of a lot of vital and presently valuable information – protected health information (PHI) – are being sold on the dark web. Knight partnered with mobile security company Approov to hack 30 mobile health apps to highlight the threats they face through APIs. 

The findings were published in a recent report, “All That We Let In”, and it was discovered that all of the apps are vulnerable to API attacks, and some allowed access to electronic health records (EHRs). The 30 apps collectively expose 23 million mobile health users to attacks, Knight reported. Of the 30 apps tests: 77% contained hardcoded API keys, of which some do not expire according to the report, and 7% had hardcoded usernames and passwords.

Approov CEO and founder, David Stewart, explained that APIs are the communication channels between a mobile app and a cloud service, physical server, or hospital infrastructure. The threat to APIs is concerning as Gartner predicts that by 2022, API attacks will no longer be infrequent but will become the most frequent attack vector for application breaches. In healthcare, APIs will allow mobile phones to access patient X-rays, pathology reports, and allergy data, among other things. 

“There are plenty of mobile healthcare apps that may not be directly accessing the patient’s medical records, but they’re still accessing extremely sensitive information – like which prescriptions they…