It seems little has changed over the last several years when it comes to how health and fitness apps go about securing user information.
According to a survey carried out by the firm Arxan last fall, 86 percent of health apps it reviewed at had at least two critical vulnerabilities and 55 percent of users it talked to expected their apps to be hacked in the next six months.
Apps that specialize in fitness have been a common mark for attackers in the last few years as many encourage users to enter personal information. A bug surfaced in MyFitnessPal a few years ago that made it easy for an attacker to pull the profile information of users. That bug has since been patched, but the attack vector remains viable for many apps.
Arxan, a Maryland-based tech firm, looked at 71 apps from the U.S., U.K., Germany, and Japan measured up against the Open Web Application Security Project’s (OWASP) top 10 mobile risks. Separately, the firm interviewed 1,083 individuals, both health app users, and IT decision makers, who produce health apps. The firm released its findings this week via the healthcare edition of its annual State of Application Security Report. (.PDF)
The firm found a whopping 97 percent of apps lacked binary protection, 79 percent of apps had insufficient transport layer protection, and 56 percent of apps experienced unintended data leakage.
Many of the bugs open the apps to tampering, something that makes it easier to attackers to potentially reverse engineer apps or leak users’ personal information, according to the firm.
When it came to other outcomes, Sam Rehman, the company’s CTO painted a grave picture.
“Imagine having your mobile health app leak your personal health information or your app reprogrammed to instruct you to deliver a lethal dose of medication,” Rehman said of the survey’s findings
The report didn’t specify which apps it screened but did note that among the apps were 19 approved by the U.S. Food and Drug Adminstration and 15 approved by the U.K.’s National Health Service.
In response to the burgeoning wearables market, the Federal Trade Commission conducted a study nearly two years ago and looked at 12 mobile health apps. The apps were ultimately found sending user information to 76 different third parties. Some sent sleeping patterns, eating habits, even GPS-based running routes. Four of the apps didn’t even bother to anonymize the information.
As the privacy and security implications continue to swirl around these types of apps, they remain a focus for the FTC, which has settled a handful of allegations against companies over the last several years. With Gartner predicting that roughly 1.4 billion health and fitness units will ship by 2020 – an increase from the 300 million last year – it’s safe to assume those allegations will rise.
