All That We Let In: Hacking Mobile Health APIs (Part 1)


Are you being kept up at night wondering just how secure your company's mobile health (mHealth) APIs really are? You aren't alone. And after the research I’ve conducted on mHealth APIs, you very well should be. If you aren't, you will be.

The number of mHealth companies have more than doubled in the past two years and with COVID-19, the protracting work-from-home economy is rewriting workplace norms that have been in place since the first industrial revolution. The court of public opinion on the future of retail shopping, banking, and healthcare in our new mobile-first world has delivered their verdict. Any business requiring a physical trip to a brick and mortar building doesn't have a future unless they offer their service through a mobile app.

What you're reading is the first inculcation of a multipart series on the first-ever vulnerability research campaign performed of mHealth apps and APIs. Multiple mHealth companies participated in this research that will amount to the largest, unprecedented release of vulnerabilities ever published in the healthcare industry without identifying the individual companies that have participated in the research.

The purpose of this research is to draw attention to the new attack surface being created in the 21st century API economy, which is now processing, transmitting, and storing our most vital and currently the most valuable information being sold on the dark web -- protected health information (PHI).

The problem isn't the use of mHealth apps as they're solving real problems, especially for patients needing always-on monitoring and remote access to their clinician or mental health provider. This is the direction healthcare has inevitably headed as new innovations were introduced in the digitalization of healthcare enabling clinicians to care for us in our home remotely from their clinics. The answer to this security challenge isn't stopping the use of mHealth apps and APIs, rather, the proper hardening of them using security solutions on both the endpoint and network.

After identifying the vulnerabilities and findings produced in this primary research, the final part in this series will discuss the solutions so CISOs, cybersecurity engineers, and developers can secure against these attacks.

This series will present my findings from my research, as well as include videos produced on the findings and a link to the white paper sponsored by CriticalBlue (Approov).