top of page
  • juanjomartinez56

APIs to communicate with other applications are good for developers and attackers

Out of 30 mobile Healthcare Apps tested by CriticalBlue - Approov API Protection, all of them could be hacked, opening access to millions of patient data records. ๐Ÿ”“


Modern Apps today use APIs to communicate with other applications, and the way they have implemented them is the reason for their vulnerability. ๐Ÿ“ฌ


Some of the concerning findings: ๐Ÿ”Ž


๐Ÿงจ 77% of the APIs tested used hardcoded API keys. (it means once you get to know the key, you can always connect to the app via this API)


๐Ÿงจ 7% contained hardcoded usernames and passwords.


๐Ÿงจ 27% didn't have code obfuscation protection against reverse engineering.


๐Ÿงจ 50% of them didn't authenticate API requests with tokens.


๐Ÿงจ 100% of them were vulnerable to BOLA attacks, allowing the attacker to move from one patient personal record to others and obtain their Personal Health Information.


This is a warning to developers of Healthcare and other Apps managing personal sensible information. It is also a warning to users of those applications to think twice before exposing personal sensible data to them. โš ๏ธ


What are the best practices in your organization to securely include APIs in your applications? ๐Ÿค”


Links: Critical Blue report: https://approov.io/mhealth/hacking/

Becky Bracken's article: https://threatpost.com/mhealth-apps-millions-cyberattacks/163966/ LinkedIn post and comments: https://www.linkedin.com/posts/juanjomartinezpagan_cybersecurity-apisecurity-informationsecurity-activity-6768437824283779072-34wW

0 visualizaciones0 comentarios

Entradas Recientes

Ver todo
bottom of page