Cargando…
Server-Focused Security Assessment of Mobile Health Apps for Popular Mobile Platforms
BACKGROUND: The importance of mobile health (mHealth) apps is growing. Independent of the technologies used, mHealth apps bring more functionality into the hands of users. In the health context, mHealth apps play an important role in providing information and services to patients, offering health ca...
Autores principales: | , , |
---|---|
Formato: | Online Artículo Texto |
Lenguaje: | English |
Publicado: |
JMIR Publications
2019
|
Materias: | |
Acceso en línea: | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6364205/ https://www.ncbi.nlm.nih.gov/pubmed/30672738 http://dx.doi.org/10.2196/jmir.9818 |
_version_ | 1783393222913949696 |
---|---|
author | Müthing, Jannis Brüngel, Raphael Friedrich, Christoph M |
author_facet | Müthing, Jannis Brüngel, Raphael Friedrich, Christoph M |
author_sort | Müthing, Jannis |
collection | PubMed |
description | BACKGROUND: The importance of mobile health (mHealth) apps is growing. Independent of the technologies used, mHealth apps bring more functionality into the hands of users. In the health context, mHealth apps play an important role in providing information and services to patients, offering health care professionals ways to monitor vital parameters or consult patients remotely. The importance of confidentiality in health care and the opaqueness of transport security in apps make the latter an important research subject. OBJECTIVE: This study aimed to (1) identify relevant security concerns on the server side of mHealth apps, (2) test a subset of mHealth apps regarding their vulnerability to those concerns, and (3) compare the servers used by mHealth apps with servers used in all domains. METHODS: Server security characteristics relevant to the security of mHealth apps were assessed, presented, and discussed. To evaluate servers, appropriate tools were selected. Apps from the Android and iOS app stores were selected and tested, and the results for functional and other backend servers were evaluated. RESULTS: The 60 apps tested communicate with 823 servers. Of these, 291 were categorized as functional backend servers, and 44 (44/291, 15.1%) of these received a rating below the A range (A+, A, and A−) by Qualys SSL Labs. A chi-square test was conducted against the number of servers receiving such ratings from SSL Pulse by Qualys SSL Labs. It was found that the tested servers from mHealth apps received significantly fewer ratings below the A range (P<.001). The internationally available apps from the test set performed significantly better than those only available in the German stores (alpha=.05; P=.03). Of the 60 apps, 28 (28/60, 47%) were found using at least one functional backend server that received a rating below the A range from Qualys SSL Labs, endangering confidentiality, authenticity, and integrity of the data displayed. The number of apps that used at least one entirely unsecured connection was 20 (20/60, 33%) when communicating with functional backend servers. It was also found that a majority of apps used advertising, tracking, or external content provider servers. When looking at all nonfunctional backend servers, 48 (48/60, 80%) apps used at least one server that received a rating below the A range. CONCLUSIONS: The results show that although servers in the mHealth domain perform significantly better regarding their security, there are still problems with the configuration of some. The most severe problems observed can expose patient communication with health care professionals, be exploited to display false or harmful information, or used to send data to an app facilitating further damage on the device. Following the recommendations for mHealth app developers, the most regularly observed security issues can be avoided or mitigated. |
format | Online Article Text |
id | pubmed-6364205 |
institution | National Center for Biotechnology Information |
language | English |
publishDate | 2019 |
publisher | JMIR Publications |
record_format | MEDLINE/PubMed |
spelling | pubmed-63642052019-02-27 Server-Focused Security Assessment of Mobile Health Apps for Popular Mobile Platforms Müthing, Jannis Brüngel, Raphael Friedrich, Christoph M J Med Internet Res Original Paper BACKGROUND: The importance of mobile health (mHealth) apps is growing. Independent of the technologies used, mHealth apps bring more functionality into the hands of users. In the health context, mHealth apps play an important role in providing information and services to patients, offering health care professionals ways to monitor vital parameters or consult patients remotely. The importance of confidentiality in health care and the opaqueness of transport security in apps make the latter an important research subject. OBJECTIVE: This study aimed to (1) identify relevant security concerns on the server side of mHealth apps, (2) test a subset of mHealth apps regarding their vulnerability to those concerns, and (3) compare the servers used by mHealth apps with servers used in all domains. METHODS: Server security characteristics relevant to the security of mHealth apps were assessed, presented, and discussed. To evaluate servers, appropriate tools were selected. Apps from the Android and iOS app stores were selected and tested, and the results for functional and other backend servers were evaluated. RESULTS: The 60 apps tested communicate with 823 servers. Of these, 291 were categorized as functional backend servers, and 44 (44/291, 15.1%) of these received a rating below the A range (A+, A, and A−) by Qualys SSL Labs. A chi-square test was conducted against the number of servers receiving such ratings from SSL Pulse by Qualys SSL Labs. It was found that the tested servers from mHealth apps received significantly fewer ratings below the A range (P<.001). The internationally available apps from the test set performed significantly better than those only available in the German stores (alpha=.05; P=.03). Of the 60 apps, 28 (28/60, 47%) were found using at least one functional backend server that received a rating below the A range from Qualys SSL Labs, endangering confidentiality, authenticity, and integrity of the data displayed. The number of apps that used at least one entirely unsecured connection was 20 (20/60, 33%) when communicating with functional backend servers. It was also found that a majority of apps used advertising, tracking, or external content provider servers. When looking at all nonfunctional backend servers, 48 (48/60, 80%) apps used at least one server that received a rating below the A range. CONCLUSIONS: The results show that although servers in the mHealth domain perform significantly better regarding their security, there are still problems with the configuration of some. The most severe problems observed can expose patient communication with health care professionals, be exploited to display false or harmful information, or used to send data to an app facilitating further damage on the device. Following the recommendations for mHealth app developers, the most regularly observed security issues can be avoided or mitigated. JMIR Publications 2019-01-23 /pmc/articles/PMC6364205/ /pubmed/30672738 http://dx.doi.org/10.2196/jmir.9818 Text en ©Jannis Müthing, Raphael Brüngel, Christoph M Friedrich. Originally published in the Journal of Medical Internet Research (http://www.jmir.org), 23.01.2019. https://creativecommons.org/licenses/by/4.0/This is an open-access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in the Journal of Medical Internet Research, is properly cited. The complete bibliographic information, a link to the original publication on http://www.jmir.org/, as well as this copyright and license information must be included. |
spellingShingle | Original Paper Müthing, Jannis Brüngel, Raphael Friedrich, Christoph M Server-Focused Security Assessment of Mobile Health Apps for Popular Mobile Platforms |
title | Server-Focused Security Assessment of Mobile Health Apps for Popular Mobile Platforms |
title_full | Server-Focused Security Assessment of Mobile Health Apps for Popular Mobile Platforms |
title_fullStr | Server-Focused Security Assessment of Mobile Health Apps for Popular Mobile Platforms |
title_full_unstemmed | Server-Focused Security Assessment of Mobile Health Apps for Popular Mobile Platforms |
title_short | Server-Focused Security Assessment of Mobile Health Apps for Popular Mobile Platforms |
title_sort | server-focused security assessment of mobile health apps for popular mobile platforms |
topic | Original Paper |
url | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6364205/ https://www.ncbi.nlm.nih.gov/pubmed/30672738 http://dx.doi.org/10.2196/jmir.9818 |
work_keys_str_mv | AT muthingjannis serverfocusedsecurityassessmentofmobilehealthappsforpopularmobileplatforms AT brungelraphael serverfocusedsecurityassessmentofmobilehealthappsforpopularmobileplatforms AT friedrichchristophm serverfocusedsecurityassessmentofmobilehealthappsforpopularmobileplatforms |