APIs to communicate with other applications are good for developers and attackers

Out of 30 mobile Healthcare Apps tested by CriticalBlue - Approov API Protection, all of them could be hacked, opening access to millions of patient data records. 🔓

Modern Apps today use APIs to communicate with other applications, and the way they have implemented them is the reason for their vulnerability. 📬

Some of the concerning findings: 🔎

🧨 77% of the APIs tested used hardcoded API keys. (it means once you get to know the key, you can always connect to the app via this API)

🧨 7% contained hardcoded usernames and passwords.

🧨 27% didn't have code obfuscation protection against reverse engineering.

🧨 50% of them didn't authenticate API requests with tokens.

🧨 100% of them were vulnerable to BOLA attacks, allowing the attacker to move from one patient personal record to others and obtain their Personal Health Information.

This is a warning to developers of Healthcare and other Apps managing personal sensible information. It is also a warning to users of those applications to think twice before exposing personal sensible data to them. ⚠️

What are the best practices in your organization to securely include APIs in your applications? 🤔

Links: Critical Blue report: https://approov.io/mhealth/hacking/

Becky Bracken's article: https://threatpost.com/mhealth-apps-millions-cyberattacks/163966/ LinkedIn post and comments: https://www.linkedin.com/posts/juanjomartinezpagan_cybersecurity-apisecurity-informationsecurity-activity-6768437824283779072-34wW