Cargando…
Client-Focused Security Assessment of mHealth Apps and Recommended Practices to Prevent or Mitigate Transport Security Issues
BACKGROUND: Mobile health (mHealth) apps show a growing importance for patients and health care professionals. Apps in this category are diverse. Some display important information (ie, drug interactions), whereas others help patients to keep track of their health. However, insufficient transport se...
| Autores principales: | , , |
|---|---|
| Formato: | Online Artículo Texto |
| Lenguaje: | English |
| Publicado: |
JMIR Publications
2017
|
| Materias: | |
| Acceso en línea: | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5666225/ https://www.ncbi.nlm.nih.gov/pubmed/29046271 http://dx.doi.org/10.2196/mhealth.7791 |
| _version_ | 1783275266027552768 |
|---|---|
| author | Müthing, Jannis Jäschke, Thomas Friedrich, Christoph M |
| author_facet | Müthing, Jannis Jäschke, Thomas Friedrich, Christoph M |
| author_sort | Müthing, Jannis |
| collection | PubMed |
| description | BACKGROUND: Mobile health (mHealth) apps show a growing importance for patients and health care professionals. Apps in this category are diverse. Some display important information (ie, drug interactions), whereas others help patients to keep track of their health. However, insufficient transport security can lead to confidentiality issues for patients and medical professionals, as well as safety issues regarding data integrity. mHealth apps should therefore deploy intensified vigilance to protect their data and integrity. This paper analyzes the state of security in mHealth apps. OBJECTIVE: The objectives of this study were as follows: (1) identification of relevant transport issues in mHealth apps, (2) development of a platform for test purposes, and (3) recommendation of practices to mitigate them. METHODS: Security characteristics relevant to the transport security of mHealth apps were assessed, presented, and discussed. These characteristics were used in the development of a prototypical platform facilitating streamlined tests of apps. For the tests, six lists of the 10 most downloaded free apps from three countries and two stores were selected. As some apps were part of these top 10 lists in more than one country, 53 unique apps were tested. RESULTS: Out of the 53 apps tested from three European App Stores for Android and iOS, 21/53 (40%) showed critical results. All 21 apps failed to guarantee the integrity of data displayed. A total of 18 apps leaked private data or were observable in a way that compromised confidentiality between apps and their servers; 17 apps used unprotected connections; and two apps failed to validate certificates correctly. None of the apps tested utilized certificate pinning. Many apps employed analytics or ad providers, undermining user privacy. CONCLUSIONS: The tests show that many mHealth apps do not apply sufficient transport security measures. The most common security issue was the use of any kind of unprotected connection. Some apps used secure connections only for selected tasks, leaving all other traffic vulnerable. |
| format | Online Article Text |
| id | pubmed-5666225 |
| institution | National Center for Biotechnology Information |
| language | English |
| publishDate | 2017 |
| publisher | JMIR Publications |
| record_format | MEDLINE/PubMed |
| spelling | pubmed-56662252017-11-03 Client-Focused Security Assessment of mHealth Apps and Recommended Practices to Prevent or Mitigate Transport Security Issues Müthing, Jannis Jäschke, Thomas Friedrich, Christoph M JMIR Mhealth Uhealth Original Paper BACKGROUND: Mobile health (mHealth) apps show a growing importance for patients and health care professionals. Apps in this category are diverse. Some display important information (ie, drug interactions), whereas others help patients to keep track of their health. However, insufficient transport security can lead to confidentiality issues for patients and medical professionals, as well as safety issues regarding data integrity. mHealth apps should therefore deploy intensified vigilance to protect their data and integrity. This paper analyzes the state of security in mHealth apps. OBJECTIVE: The objectives of this study were as follows: (1) identification of relevant transport issues in mHealth apps, (2) development of a platform for test purposes, and (3) recommendation of practices to mitigate them. METHODS: Security characteristics relevant to the transport security of mHealth apps were assessed, presented, and discussed. These characteristics were used in the development of a prototypical platform facilitating streamlined tests of apps. For the tests, six lists of the 10 most downloaded free apps from three countries and two stores were selected. As some apps were part of these top 10 lists in more than one country, 53 unique apps were tested. RESULTS: Out of the 53 apps tested from three European App Stores for Android and iOS, 21/53 (40%) showed critical results. All 21 apps failed to guarantee the integrity of data displayed. A total of 18 apps leaked private data or were observable in a way that compromised confidentiality between apps and their servers; 17 apps used unprotected connections; and two apps failed to validate certificates correctly. None of the apps tested utilized certificate pinning. Many apps employed analytics or ad providers, undermining user privacy. CONCLUSIONS: The tests show that many mHealth apps do not apply sufficient transport security measures. The most common security issue was the use of any kind of unprotected connection. Some apps used secure connections only for selected tasks, leaving all other traffic vulnerable. JMIR Publications 2017-10-18 /pmc/articles/PMC5666225/ /pubmed/29046271 http://dx.doi.org/10.2196/mhealth.7791 Text en ©Jannis Müthing, Thomas Jäschke, Christoph M Friedrich. Originally published in JMIR Mhealth and Uhealth (http://mhealth.jmir.org), 18.10.2017. https://creativecommons.org/licenses/by/4.0/ This is an open-access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in JMIR mhealth and uhealth, is properly cited. The complete bibliographic information, a link to the original publication on http://mhealth.jmir.org/, as well as this copyright and license information must be included. |
| spellingShingle | Original Paper Müthing, Jannis Jäschke, Thomas Friedrich, Christoph M Client-Focused Security Assessment of mHealth Apps and Recommended Practices to Prevent or Mitigate Transport Security Issues |
| title | Client-Focused Security Assessment of mHealth Apps and Recommended Practices to Prevent or Mitigate Transport Security Issues |
| title_full | Client-Focused Security Assessment of mHealth Apps and Recommended Practices to Prevent or Mitigate Transport Security Issues |
| title_fullStr | Client-Focused Security Assessment of mHealth Apps and Recommended Practices to Prevent or Mitigate Transport Security Issues |
| title_full_unstemmed | Client-Focused Security Assessment of mHealth Apps and Recommended Practices to Prevent or Mitigate Transport Security Issues |
| title_short | Client-Focused Security Assessment of mHealth Apps and Recommended Practices to Prevent or Mitigate Transport Security Issues |
| title_sort | client-focused security assessment of mhealth apps and recommended practices to prevent or mitigate transport security issues |
| topic | Original Paper |
| url | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5666225/ https://www.ncbi.nlm.nih.gov/pubmed/29046271 http://dx.doi.org/10.2196/mhealth.7791 |
| work_keys_str_mv | AT muthingjannis clientfocusedsecurityassessmentofmhealthappsandrecommendedpracticestopreventormitigatetransportsecurityissues AT jaschkethomas clientfocusedsecurityassessmentofmhealthappsandrecommendedpracticestopreventormitigatetransportsecurityissues AT friedrichchristophm clientfocusedsecurityassessmentofmhealthappsandrecommendedpracticestopreventormitigatetransportsecurityissues |