71% of healthcare and medical apps have at least one serious vulnerability that could lead to a breach of medical data, according to Intertrust.
The report investigated 100 publicly available global mobile healthcare apps across a range of categories—including telehealth, medical device, health commerce, and COVID-tracking—to uncover the most critical mHealth app threats.
Cryptographic issues pose one of the most pervasive and serious threats, with 91% of the apps in the study failing one or more cryptographic tests. This means the encryption used in these medical apps can be easily broken by cybercriminals, potentially exposing confidential patient data, and enabling attackers to tamper with reported data, send illegitimate commands to connected medical devices, or otherwise use the application for malicious purposes.
Bringing medical apps security up to speed
The study’s overall findings suggest that the push to reshape care delivery under COVID-19 has often come at the expense of mobile application security.
“Unfortunately, there’s been a history of security vulnerabilities in the healthcare and medical space. Things are getting a lot better, but we still have a lot of work to do.” said Bill Horne, General Manager of the Secure Systems product group and CTO at Intertrust.
“The good news is that application protection strategies and technologies can help healthcare organizations bring the security of their apps up to speed.”
The report on healthcare and medical mobile apps is based on an audit of 100 iOS and Android applications from healthcare organizations worldwide. All 100 apps were analyzed using an array of static application security testing (SAST) and dynamic application security testing (DAST) techniques based on the OWASP mobile app security guidelines.
- 71% of tested medical apps have at least one high level security vulnerability. A vulnerability is classified as high if it can be readily exploited and has the potential for significant damage or loss.
- The vast majority of medical apps (91%) have mishandled and/or weak encryption that puts them at risk for data exposure and IP (intellectual property) theft.
- 34% of Android apps and 28% of iOS apps are vulnerable to encryption key extraction.
- The majority of mHealth apps contain multiple security issues with data storage. For instance, 60% of tested Android apps stored information in SharedPreferences, leaving unencrypted data readily readable and editable by attackers and malicious apps.
- When looking specifically at COVID-tracking apps, 85% leak data.
- 83% of the high-level threats discovered could have been mitigated using application protection technologies such as code obfuscation, tampering detection, and white-box cryptography.
Rubean and CCV, in partnership with Intertrust and Riscure, announced the launch of a jointly developed contactless payment application that transforms Android handsets running 8.0 Oreo or later into contactless payment terminals, supporting PIN entry with no additional hardware.
Developed to PCI CPoC standards and certified to Visa and Mastercard brand pilot-programs, PhonePOS will launch first in Germany and then roll-out more broadly throughout Europe. The solution will be deployed through European-based acquiring banks, and also offered as a service through CCV.
“This has been an enormous technical team effort,” said Bill Horne, general manager of the Secure Systems product group at Intertrust.
“Combining whiteCryption, our world-class application shielding for zero-trust environments, with Riscure’s penetration testing and certification, has brought down barriers for Rubean and CCV to deliver streamlined payment capabilities to the market.”
By making commerce even more frictionless, millions of merchants can now safely and easily accept card payments from anywhere. The solution brings card acceptance and enhanced business opportunities to millions of micro-merchants. It enables them to accept credit cards for goods and services using only PhonePOS and their Android handset.
It requires no additional hardware, removing the expense and hassle of the card-readers and dongles necessary with alternative solutions. PhonePOS is also being tested for deployment onto professional retail tablets with full terminal-management capabilities, extending support to larger retailers.
“The challenge of delivering a software-only solution has revolved around protecting the confidentiality and integrity of payment account data on consumer-grade mobile phones and tablets,” said Hermann Geupel, chief executive officer at Rubean. “With PhonePOS, we have developed a highly secure—and at the same time broadly usable—payment acceptance solution.”
Rubean and CCV have worked together to develop and deploy the seamless solution. Rubean’s security and monitoring software meets the high requirements of a smartphone-based card terminal.
CCV’s acCEPT PaaS (Payment-as-a-Service) ecosystem, proven in thousands of live installations worldwide, is the optimum solution for the new tap-on-phone system as it deploys most parts of the POS functionality to the cloud. This makes PhonePOS a lightweight app with increased security and flexibility.
Günther Froschermeier, chief technology officer of CCV Germany, commented, “PhonePOS is an important breakthrough for electronic payments. As cashless payments explode, the benefits of POS integration are becoming paramount.
For example, instead of using additional hardware micro-merchants can use their Android smartphone for card acceptance, hospitality providers can integrate electronic payments within their ordering devices, and even large corporations can extend their business with home delivery solutions.”
“Using smartphones as payment terminals means security is crucial,” added Tim Hartog, Director of Mobile Payments at Riscure.
“A collaborative effort with Rubean and CCV through the development and certification process leveraged our powerful expertise and track record in mobile-payment security. PhonePOS makes optimal use of best-in-class software security to protect the solution, including secure PIN-entry through hardware-backed TEE technology.”
Intertrust’s whiteCryption solutions have been employed to protect the encryption keys and provide application hardening, bringing a higher level of tamper resistance to the application itself. Riscure provided sophisticated penetration testing and certification.
Intertrust announced the launch of whiteCryption Secure Key Box (SKB) for Web at the RSA Conference 2020. The first and only enterprise-ready white-box cryptography solution for web applications, it ensures that web apps can be used without fear of exposing the underlying keys and credentials to cyberattack.
It protects cryptographic keys even when running on a compromised host, and provides stronger and broader protection than low-level interfaces, such as the Web Crypto API, which do not secure against side-channel and other attacks running outside the browser.
“A lot of people think that by using cryptography they are securing their systems, but what they often don’t realize is that they are merely shifting the problem of data protection to protecting the keys,” said Bill Horne, general manager of the Secure Systems product group at Intertrust.
“Secure Key Box for Web prevents hackers from stealing keys from Web applications, resisting existing and future side-channel and fault injection attacks with ‘drop-in and go’ ease that requires no additional operations or protocols.”
Information shared via a browser often needs to be encrypted to ensure rogue actors cannot access proprietary data and systems, impersonate a legitimate user, generate fraudulent digital signatures, or modify or create entirely false data and transactions.
For example, applications increasingly use APIs to interact with server-side applications, yet browser APIs and third-party cryptographic libraries cannot protect keys from attacks on the underlying host without having access to underlying hardware security support.
Hackers are able to obtain keys through various techniques including scanning memory at runtime for keys, or examining code to find hard-coded keys, and then employ the same key in attacks against the server.
The solution prevents application attacks by enabling standard cryptographic functions to be performed without the keys ever being exposed whether in use or at rest. SKB for Web also protects keys and credentials from side-channel attacks by making them safe from exploits running within the browser, as well as natively on the PC or device.