APIs to communicate with other applications are good for developers and attackers
Out of 30 mobile Healthcare Apps tested by CriticalBlue - Approov API Protection, all of them could be hacked, opening access to millions of patient data records. 🔓
Modern Apps today use APIs to communicate with other applications, and the way they have implemented them is the reason for their vulnerability. 📬
Some of the concerning findings: 🔎
🧨 77% of the APIs tested used hardcoded API keys. (it means once you get to know the key, you can always connect to the app via this API)
🧨 7% contained hardcoded usernames and passwords.
🧨 27% didn't have code obfuscation protection against reverse engineering.
🧨 50% of them didn't authenticate API requests with tokens.
🧨 100% of them were vulnerable to BOLA attacks, allowing the attacker to move from one patient personal record to others and obtain their Personal Health Information.
This is a warning to developers of Healthcare and other Apps managing personal sensible information. It is also a warning to users of those applications to think twice before exposing personal sensible data to them. ⚠️
What are the best practices in your organization to securely include APIs in your applications? 🤔
Links: Critical Blue report: https://approov.io/mhealth/hacking/
Becky Bracken's article: https://threatpost.com/mhealth-apps-millions-cyberattacks/163966/ LinkedIn post and comments: https://www.linkedin.com/posts/juanjomartinezpagan_cybersecurity-apisecurity-informationsecurity-activity-6768437824283779072-34wW