Build38 logo


February 8, 2022

10 API manipulation & attack vectors in healthcare

API attack eHealth - Build38


10 API manipulation & attack vectors in healthcare

The use of e-Health mobile applications is increasing more than ever, both in their wide-usage and wide availability. Medical apps surged 53% in usage in Q2/2021 compared to the same period in 2019, according to a study from SensorTower.

Health-related information is a matter of sensitive nature, keeping that data and information private is of the highest importance to many. According to several studies, a healthcare record can be sold for 250-1000 USD depending on the content inside. Another study by IBM states that, as of 2021, the highest average cost of data breach is faced by the healthcare industry where it can amount up to 9.23 million USD. For comparison, the average cost of data breaches in the financial sector is only 5.72 million USD. There are many forms of threats to the healthcare industry, however, we would like to highlight the threats to the API misuse and manipulation

According to Gartner:

>More than 75% of applications lack basic security measures. In healthcare, patient data privacy and health care professionals, alike, this is of utmost importance_

API Manipulation and abuse practices

In an earlier Build38 blog post we already commented on API key leakage. This “bad news” has also been confirmed by an Aproov study and specifically states that all 30 samples of popular mobile health apps had some sort of hardcoded API vulnerability that could be exploited in many ways, including leakage of personal health information and identities. Aproov highlighted that: “77% of the apps tested contained hardcoded API keys used to authenticate the app to other services (such as payment processors), a major breach of best security practices. 7% of the apps had hardcoded usernames and passwords in plain text.

You can mitigate some API threats by carefully considering the best practices of the OWASP API Security recommendations. Still, these recommendations do not solve the issues of the eHealth apps In-App protection nor the protection of API keys.

  • Broken User Authentication: Authentication mechanisms are often incorrectly configured, allowing attackers to break authentication tokens or to exploit flaws to assume other user’s identities temporarily or permanently.
  • Lack of Resources & Rate Limiting: Often, APIs do not impose any restrictions on the size or number of resources that can be requested by the end-user. This can impact API server performance, which may lead to Denial of Service (DoS), but may also be susceptible to brute force attacks

  • Security Misconfiguration: Security misconfiguration is commonly a result of unsecure default configurations in your network related correspondence.

  • Injection: Injection flaws occur when untrusted data is sent as part of a command or query. The attacker’s malicious attempt can trick the interpreter into executing unintended commands or accessing data without the right authorization.

  • Improper Assets Management: APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation is incredibly important.

  • Insufficient Logging & Monitoring: Insufficient logging and monitoring, paired with missing or ineffective integration with incident-response, allows attackers to pivot to more systems to tamper with to extract or destroy data. Most studies demonstrate that the time to detect a breach is over 200 days, usually detected by external parties rather than internal ones…

Build38 protects health care apps and their API’s in the following ways

By incorporating Build38’s TAK Suite within your health-related mobile applications, different attack attempts such as mentioned above can be mitigated and the result is a self-protected application. The mobile application is hardened against the following attack mechanisms:

  • Reverse engineering
  • Repackaging
  • API-Scraping
  • Secure channel for secure communication
  • Secure storage
  • Privilege escalation prevention (e.g., by means of root detection)
  • Code injections
  • Man-in-the-middle attacks


In conclusion, the exponential growth of e-Health mobile applications has brought about a crucial need for robust security measures. With sensitive health-related data becoming increasingly valuable and prone to breaches, the importance of safeguarding against threats such as API manipulation and misuse cannot be overstated. The prevalence of vulnerabilities, highlighted by studies revealing widespread API key leakage and other security flaws, underscores the urgent need for comprehensive security solutions.

Despite the existence of best practices like the OWASP API Security Top 10 recommendations, the challenges of protecting eHealth apps and API keys persist. However, by integrating Build38’s TAK Suite into health-related mobile applications, organizations can fortify their defenses and ensure a self-protected environment. Through measures like reverse engineering prevention, secure communication channels, and privilege escalation prevention, Build38 offers a comprehensive solution to mitigate the risks posed by malicious actors. As the healthcare industry continues to navigate the digital landscape, proactive steps towards securing sensitive data are paramount to safeguarding patient privacy and maintaining trust in the integrity of healthcare systems.


Related posts

Discover the next generation 
of mobile app security