Top Health and Finance Apps Have Significant Vulnerabilities
2014 saw mobile apps for health and finance soared in use. The Department of Homeland Security noted an increase in cyber security risks on these apps due to malware and virus issues. However, policymakers have not taken steps to protect users since it has not affected anyone past the computer program, yet.
Arxan, a security protection firm for computer and electronic devices, found that of the 126 most popular mobile health and finance apps, 90 percent had major security vulnerabilities and the consumers do not know about the gaps in protection.
Arxan’s fifth annual State of Application Security Report posted on its website has found the false perception of security of mobile apps and the consumers’ misguided confidence in the secure use of the apps. The report covers apps in the US, UK, Germany and Japan.
While the majority of app users and app executives indicate that they believe their apps to be secure, nearly all the apps assessed by Arxan, including popular banking and payment apps and FDA-approved health apps, proved to be vulnerable to at least two of the OWASP Mobile Top 10 Risks.
Arxan’s report showed that of the 1083 consumers, of which 268 were IT executives and 815 were consumers; the survey revealed there is a wide discrepancy between the security of the mobile apps and the consumers’ perceived belief in their cyber security as follows:
- Consumers and app executives believe their mobile health and finance apps are secure.
- The majority of mobile health and finance apps contain critical security vulnerabilities.
- The security and safety risks are real and significant.
- Most consumers would change providers if they knew their apps were not secure.
The Arxan report found that of the FDA-approved apps, 84 percent were vulnerable to two of the top ten security risks listed in the study. A larger gap was shown since 98 percent of the apps did not have a binary code protection, allowing for reverse engineering and 84 percent had poor transport layer protection which opens the user to loss of important medical data intended for their physician review. A more lethal danger in the loss of secured transfer of medical data is that an incorrect dose of medicine may be sent to harm a patient.
Since the FDA has not specifically addressed mobile medical apps as a separate category of devices for cyber security, app developers can refer to the FDA’s guidance Content of Premarket Submissions for Management of Cybersecurity issued in October 2014. The guidance issued by the FDA provides software information for effective cybersecurity management.
The highlights for Finance in the report are:
- All of the top mobile banking and payment apps tested had, at least, one OWASP Mobile Top 10 Risk. 100 percent of the mobile finance apps tested, which are commonly used for mobile banking and for electronic payments, was shown to be susceptible to code tampering and reverse-engineering.
- Android apps were shown to be more secure than iOS apps, and 59 percent of the Android mobile finance apps tested had at least three OWASP Mobile Top 10 Risks, whereas 100 percent of the iOS apps tested had at least 3 top risks.
The full 2016 Arxan State of Application Security Report with methodology, consolidated (mobile health and finance), health-specific and finance-specific findings can be found on the Arxan website, here.
Featured image from Shutterstock.