Approov, creators of advanced API threat protection for mobile applications, today announced a March 4 Webinar that presents new data from research into API-focused Mobile Attacks and sponsorship of the next phase of research into this topic with a call for developers to participate.
The first report, which can be downloaded at https://approov.io/mhealth/hacking/, revealed that fully 100 percent of the 30 popular mHealth apps analyzed by Alissa Knight, partner at Knight Ink, are vulnerable to API attacks that can allow unauthorized access to full patient records including protected health information (PHI) and personally identifiable information (PII). The study underscores the API shielding actions now urgently required to protect mHealth apps from API abuse.
“The report downloads have been strong and initial findings have demonstrated a need to look deeper into security best practices for SMART and FHIR. Compliance may not be enough, which is why we are sponsoring this research,” said Approov CEO and co-founder David Stewart. “Knight Ink will do the research during March 2021. Apps tested won’t be identified in the report and Alissa Knight is actively seeking participants in the study. This gives developers an opportunity to have their mobile healthcare apps and APIs pen-tested confidentially by an industry leading API security expert for free.”
This research is critical and timely because use of FHIR has been mandated by the ONS to drive interoperability and empower patients to access and manage their own healthcare data. Data from ONC shows that 85% of providers have FHIR in their information systems. The standard is evolving, but has been mandated in a number of regulations. FHIR is already in use for medical record exchange. You can use it to send and receive lab results, prescriptions, and medications. It is used already by patients who access their health data, for example via Apple’s Health Record app. SMART defines a framework for mobile apps to access FHIR APIs.
The new research will test current apps against the standards and recommended security practices, and will make recommendations based on the research. If you are implementing SMART apps using FHIR APIs we invite you to participate. Interested developers should contact Knight Ink directly to sign up at email@example.com
Approov will host a live webinar for March 4, 2021 at 1:00 p.m. EST. The webinar will be co-hosted by independent security researcher Alissa Knight, partner, Knight Ink, and Skip Hovsmith, principal engineer and VP Americas for Approov. The webinar will cover — in depth — the mHealth applications tested, the tools and techniques that were used to expose vulnerabilities in apps and APIs, and the types of issues which were exposed. Next steps in the research will also be covered. A live demonstration will be provided to show how to address the issues highlighted in the report.
Knight has 20 years of experience in cybersecurity as a penetration tester and vulnerability researcher. She is an industry influencer, content creator, and partner at Knight Ink. Knight is a recognized author. She recently published a book on hacking connected cars and reports on vulnerabilities in Fintech and mHealth apps. Hovsmith heads Approov’s US team, and is based in California. His focus is on helping customers secure API usage between mobile apps and their backend services. He has deep experience in accelerating mobile and embedded software running on multicore and custom coprocessor platforms. He is a frequent speaker at conferences on mobile apps, APIs and cybersecurity.
To Register for the March 4 webinar, go to https://us02web.zoom.us/webinar/register/WN_gVmmKhQPTZqKM-p0td0NQg
Approov solutions help stop API abuse at the edge, and prevent security breaches in mobile channels. With more businesses moving to digitalization and future-ready services that use mobile API connections, securing those connections properly can get overlooked or not fully implemented for all possible threats, exposing organizations and their users to breaches, fraud, denial of service, and other forms of API abuse. Knight Ink found that the Approov solution was effective in preventing 100 percent of the unauthorized API requests described in the report.
Approov API Threat Protection provides a multi-factor, end-to-end mobile API security solution that complements identity management, endpoint, and device protection to lock-down proper API usage. It ensures that only safe and approved apps running in safe environments can successfully and securely access an organization’s APIs, and turns away unauthorized accesses by attacker scripting, bots and fake or tampered apps. https://www.approov.io/
Research Report – All That We Let In: https://approov.io/mhealth/hacking/
Infographic – All That We Let In: https://approov.io/download/all-that-we-let-in-hacking-mhealth-apps-and-apis-infographics.pdf (Facts on Vulnerabilities in Mobile Health Apps and APIs)
Approov mHealth blog – Exposing Vulnerabilities in mHealth Apps and APIs: https://blog.approov.io/exposing-vulnerabilities-in-mhealth-apps-and-apis
Approov healthcare case study – How MV Healthcare Uses Approov to Give Flexibility to Physicians while Protecting Patient Data: https://www.approov.io/customer/mv/
Knight Ink: https://www.knightinkmedia.com