• juanjomartinez56

APIs to communicate with other applications are good for developers and attackers

Out of 30 mobile Healthcare Apps tested by CriticalBlue - Approov API Protection, all of them could be hacked, opening access to millions of patient data records. 🔓


Modern Apps today use APIs to communicate with other applications, and the way they have implemented them is the reason for their vulnerability. 📬


Some of the concerning findings: 🔎


🧨 77% of the APIs tested used hardcoded API keys. (it means once you get to know the key, you can always connect to the app via this API)


🧨 7% contained hardcoded usernames and passwords.


🧨 27% didn't have code obfuscation protection against reverse engineering.


🧨 50% of them didn't authenticate API requests with tokens.


🧨 100% of them were vulnerable to BOLA attacks, allowing the attacker to move from one patient personal record to others and obtain their Personal Health Information.


This is a warning to developers of Healthcare and other Apps managing personal sensible information. It is also a warning to users of those applications to think twice before exposing personal sensible data to them. ⚠️


What are the best practices in your organization to securely include APIs in your applications? 🤔


Links: Critical Blue report: https://approov.io/mhealth/hacking/

Becky Bracken's article: https://threatpost.com/mhealth-apps-millions-cyberattacks/163966/ LinkedIn post and comments: https://www.linkedin.com/posts/juanjomartinezpagan_cybersecurity-apisecurity-informationsecurity-activity-6768437824283779072-34wW

0 visualizaciones0 comentarios

Entradas Recientes

Ver todo