10 API manipulation & attack vectors in healthcare

The use of e-Health mobile applications is increasing more than ever, both in their wide-usage and wide availability. Medical apps surged 53% in usage in Q2/2021 compared to the same period in 2019, according to a study from SensorTower.

Health-related information is a matter of sensitive nature, keeping that data and information private is of the highest importance to many. According to several studies, a healthcare record can be sold for 250-1000 USD depending on the content inside. Another study by IBM states that, as of 2021, the highest average cost of data breach is faced by the healthcare industry where it can amount up to 9.23 million USD. For comparison, the average cost of data breaches in the financial sector is only 5.72 million USD. There are many forms of threats to the healthcare industry, however, we would like to highlight the threats to the API misuse and manipulation

According to Gartner, more than 75% of applications lack basic security measures. In healthcare, patient data privacy and health care professionals, alike, this is of utmost importance.

API Manipulation and abuse practices

In an earlier Build38 blog post we already commented on API key leakage. This “bad news” has also been confirmed by an Aproov study and specifically states that all 30 samples of popular mobile health apps had some sort of hardcoded API vulnerability that could be exploited in many ways, including leakage of personal health information and identities. Aproov highlighted that: “77% of the apps tested contained hardcoded API keys used to authenticate the app to other services (such as payment processors), a major breach of best security practices. 7% of the apps had hardcoded usernames and passwords in plain text.

You can mitigate some API threats by carefully considering the best practices of the OWASP API Security Top 10 recommendations. Still, these recommendations do not solve the issues of the eHealth apps In-App protection nor the protection of API keys.

  • Broken User Authentication: Authentication mechanisms are often incorrectly configured, allowing attackers to break authentication tokens or to exploit flaws to assume other user’s identities temporarily or permanently.
  • Lack of Resources & Rate Limiting: Often, APIs do not impose any restrictions on the size or number of resources that can be requested by the end-user. This can impact API server performance, which may lead to Denial of Service (DoS), but may also be susceptible to brute force attacks
  • Security Misconfiguration: Security misconfiguration is commonly a result of unsecure default configurations in your network related correspondence.
  • Injection: Injection flaws occur when untrusted data is sent as part of a command or query. The attacker’s malicious attempt can trick the interpreter into executing unintended commands or accessing data without the right authorization.
  • Improper Assets Management: APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation is incredibly important.
  • Insufficient Logging & Monitoring: Insufficient logging and monitoring, paired with missing or ineffective integration with incident-response, allows attackers to pivot to more systems to tamper with to extract or destroy data. Most studies demonstrate that the time to detect a breach is over 200 days, usually detected by external parties rather than internal ones…

Build38 protects health care apps and their API’s in the following ways

By incorporating Build38’s TAK Suite within your health-related mobile applications, different attack attempts such as mentioned above can be mitigated and the result is a self-protected application. The mobile application is hardened against the following attack mechanisms:

• Reverse engineering

• Repackaging

• API-Scraping

• Secure channel for secure communication

• Secure storage

• Privilege escalation prevention (e.g., by means of root detection)

• Code injections

• Man-in-the-middle attacks

Protecting app intelligence

Therefore, get in touch with us today to get started on securing your applications by introducing security measures right from the start.