Security Risks for mHealth Apps and How to Mitigate Them

This blog explores:

• mHealth app usage is on the rise, but the rise in market profitability is shadowed by a concurrent rise in new and evolving security threats.
• Many mHealth app developers lack the experience and expertise to properly secure their mHealth apps, but the FDA’s STRIDE framework is a good place to start.
• Guardsquare’s products: AppSweep, DexGuard, iXGuard, and ThreatCast, can help developers build the strong security posture their mHealth apps need.

In our piece on mHealth apps and FDA approval, we defined mHealth apps as, “mobile technology that allows the user to monitor and share health information, including apps that allow physicians to diagnose and deliver care.” Determining whether or not an mHealth app requires FDA approval can be tricky. If you’re in doubt about your app’s need for FDA approval, make sure to visit our FDA approval post for a full breakdown on FDA approval criteria and a checklist to help you decide if this is necessary for your app.

mHealth app growing pains

In defining mHealth apps, we also touched briefly on the exponential growth of this market and found that the updated figures are even more impressive. In a recent study published by Global Industry Analysts, Inc., the organization estimated that the global market for mHealth apps will reach $16.6B by the end of 2026.

However, while mHealth apps are rising in popularity and profitability, we’re also seeing a concurrent rise in healthcare attacks. Thanks to the surge of cyberattacks in 2021, the cost of a typical healthcare security incident has risen 30% to $9.4 million in 2021 compared to the previous year. These incidents impacted more than 1.3 million people in the US alone, with more expected to take place in 2022.

Current state of mHealth app security

As more healthcare organizations and other businesses develop mHealth apps, there needs to be a synchronous focus on security. In 2021, researchers analyzed 20,000 mHealth apps in the Google Play store. They found that 45% of the apps relied on unencrypted communication, 23.0% sent personal data on unsecured traffic, and 1.8% contained suspicious code. These findings indicate significant security deficiencies in mHealth apps. Without stronger mobile app security for healthcare, organizations risk irreparable damage to their reputation, revenue, and most importantly, patients’ well-being.

The biggest barriers to mHealth app security development

A thorough understanding of the biggest security risks affecting mHealth apps is crucial when developing a strategy to protect against both emerging and evolving threats.

In 2021 researchers reviewed data from studies published between 2008-2020 to isolate the main challenges developers face when securing mHealth apps. The results were surprising. 63% developers demonstrated a lack of knowledge and expertise needed for secure app development, and 19% paid little to no attention to security during the mHealth app development process. This study indicates that there is an urgent need for organizations to start prioritizing the security posture of their mHealth apps.

So, where do we start? Let’s start by looking at what the FDA has to say about security risks most pressing to mHealth apps. Even if your mHealth app doesn’t require FDA approval, the regulatory body offers a solid strategy for addressing the most prevalent security risks threatening this particular type of app.

The most pressing security risks for mHealth apps

When it comes to the most common types of security risks mHealth app developers should protect against, the FDA segments threats based on a threat modeling framework called STRIDE. STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privileges.

The FDA also offers a helpful playbook for threat modeling in medical devices, which contains a table that provides a description and example of each threat represented in the STRIDE acronym.

Image Credit: Playbook for Threat Modeling Medical Devices

In addition to this playbook, the FDA also shares guidance on how to mitigate cybersecurity risks to stay in compliance with their regulations. Some of the more high-level guidance from these assets include:

• Remain vigilant about identifying risks and hazards associated with medical devices, including risks related to cybersecurity.
• Evaluate network security and protect your systems.
• Put appropriate mitigations in place to address patient safety risks and ensure proper device performance.

Although this guidance is helpful, you’ll need the right tools and support to ensure you are fully equipped to act on this advice.

How Guardsquare can help with mitigating risks

AppSweep

Leveraging a mobile app security testing platform like AppSweep, helps mobile app developers improve their mHealth app’s security posture. This free, developer-centric tool enables them to gain actionable insights into their app code’s security risks and dependencies. Moreover, AppSweep has built-in support that provides coverage for the OWASP MSTG (Mobile Security Testing Guide) security requirements. The platform’s results can be filtered, which makes it easier to identify how the findings relate to the OWASP MASVS (Mobile Application Security Verification Standard) categories. Finally, AppSweep can also be easily integrated into popular CI/CD tools such as Bitrise, Github, and Jenkins.

DexGuard and iXGuard

Similarly, mobile application protection solutions, DexGuard and iXGuard, help mobile app developers to mitigate the risks represented in the STRIDE framework. These solutions provide the most comprehensive, full-spectrum mobile app protection available with extensive code hardening techniques such as code virtualization, call hiding, and code obfuscation for classes, fields, arithmetic instructions, and more. Each of these work together to protect against static analysis. Additionally, these solutions automatically inject runtime application self-protection (RASP) checks, preventing threat actors from tampering with apps at runtime. RASP injects checks like jailbreak detection, debugger detection, repackaging detection, code tracing detection, hook detection, and more.

Both DexGuard and iXGuard are equipped with polymorphic protection — a mechanism that permits each app build to have different code hardening and RASP configurations. Additionally, the RASP checks are applied in different locations, ensuring threat actors can’t reuse their prior knowledge.

ThreatCast

When it comes to real-time visibility into your iOS and Android apps, Guardsquare’s ThreatCast enables developers to view attacks and suspicious activity as they occur once the app is released. You can set custom alerts and actions to become aware of threat events as they occur and to respond to them before a breach occurs. This continuous monitoring and evaluation allows you to remain vigilant and evolve your security posture to minimize the risks and hazards that might be associated with your mHealth apps.

To learn more about how Guardsquare can help you identify and protect against the most common mHealth app risks, connect with one of our experts now!