Data Security In Mobile Health Apps: Does Perception Match Reality?
By Ed Miseta, Chief Editor, Clinical Leader
The use of mobile apps has exploded in recent years. One report, put out by mobile analytics firm Flurry, shows app usage grew by 76 percent in just 2014 alone. Health and fitness apps were one of the leading categories, showing growth of 89 percent. With the number of apps in the Google Play store exceeding 1.6 million, and the number of app downloads projected to hit 268,692 million in 2017, the use of mobile technologies will not slow anytime soon.
Couple that with pharma companies and CROs hoping to increase the use of apps and wearable devices in clinical trials, and it seems this could be a boon to both patient recruitment and retention. But is data being captured and transferred by these devices protected? And does the perception of this protection by users match the reality? Arxan Technologies has just completed its 5th annual State of Application Security report, which looks at the security of some of the most popular mobile health applications available. The company found a huge discrepancy exists between consumers’ beliefs regarding the level of security built into these apps, and the degree to which developers address the known vulnerabilities.
To compile the mobile health app report, Arxan surveyed 318 individuals in the U.S., U.K., Germany, and Japan. There were 80 who identified as IT executives with security oversight or insight into mobile health apps they produce. The remaining 238 respondents were consumers that use mobile health apps. A nine percent gap existed between the number of executives and consumers who felt mobile apps are adequately secure (87 percent for executives and 78 percent for consumers). But while 75 percent of executives felt everything was being done to protect apps, only 50 percent of consumers felt the same. Despite the high number of executives who felt everything was being done to protect apps, 48 percent still felt their app would be hacked within the next six months. Fifty-five percent of users indicated the same concern.
Having those perceptions, Arxan then tested 71 of the most popular mobile health apps in those same four countries. They were tested using tools from Mi3, a third-party independent application security company that interrogates mobile apps for malware threats, privacy risks, and data leaks. Apps approved by regulatory or governing bodies were also included in the security assessment.
The results were not good. Arxan found 86 percent of the apps tested were vulnerable to at least two of the top ten OWASP (the Open Web Application Security Project) mobile risks, identified as the most critical risks facing applications. Of even greater concern, 84 percent of FDA-approved apps and 80 percent of apps formerly approved by the NHS (National Health Service) were also vulnerable to at least two of those same top 10 risks. Those risks include insecure data storage, unintended data leakage, weak server-side controls, poor authorization and authentication, and a lack of binary protections.
Ninety-seven percent of the apps tested lacked binary code protection and could be reverse-engineered or modified. Seventy-nine percent had poor transport layer protection which could lead to data and identity theft. And, although 76 percent of app users indicated they would change providers if their app was known to be vulnerable or if a similar app was known to be more secure, only 50 percent of organizations indicated they have money budgeted to protecting mobile apps.
So what is one to do with this information? Arxan has advice for both app executives as well as end users. For executives, they recommend setting an internal security bar above current regulations. Since regulatory bodies generally lag behind cyber criminals, applications that have been approved by regulatory bodies, including the FDA, can often be just as vulnerable as other apps. They also recommend that companies identify elements of the OWASP that are being neglected, and place a focus on them. The report identified binary code protection and the lack of transport layer protection as two of the most prevalent. It also recommended marketing strength of security in apps as a means to attract and retain customers, as this is a factor becoming increasingly important in purchasing decisions.
For consumers, the top recommendations were only downloading apps from authorized sources, not jailbreaking or rooting devices (removing manufacturer or carrier restrictions from a device to install programs), as this will negates security measures put in place for data protection, and demanding transparency of each apps security, so as to better understand what you are downloading.
The full report can be downloaded here, or by visiting www.Arxan.com.