• juanjomartinez56

APIs to communicate with other applications are good for developers and attackers

Out of 30 mobile Healthcare Apps tested by CriticalBlue - Approov API Protection, all of them could be hacked, opening access to millions of patient data records. ūüĒď

Modern Apps today use APIs to communicate with other applications, and the way they have implemented them is the reason for their vulnerability. ūüď¨

Some of the concerning findings: ūüĒé

ūüß® 77% of the APIs tested used hardcoded API keys. (it means once you get to know the key, you can always connect to the app via this API)

ūüß® 7% contained hardcoded usernames and passwords.

ūüß® 27% didn't have code obfuscation protection against reverse engineering.

ūüß® 50% of them didn't authenticate API requests with tokens.

ūüß® 100% of them were vulnerable to BOLA attacks, allowing the attacker to move from one patient personal record to others and obtain their Personal Health Information.

This is a warning to developers of Healthcare and other Apps managing personal sensible information. It is also a warning to users of those applications to think twice before exposing personal sensible data to them. ‚ö†ÔłŹ

What are the best practices in your organization to securely include APIs in your applications? ūü§Ē

Links: Critical Blue report: https://approov.io/mhealth/hacking/

Becky Bracken's article: https://threatpost.com/mhealth-apps-millions-cyberattacks/163966/ LinkedIn post and comments: https://www.linkedin.com/posts/juanjomartinezpagan_cybersecurity-apisecurity-informationsecurity-activity-6768437824283779072-34wW

0 vistas0 comentarios

Entradas Recientes

Ver todo