Cargando…

Server-Focused Security Assessment of Mobile Health Apps for Popular Mobile Platforms

BACKGROUND: The importance of mobile health (mHealth) apps is growing. Independent of the technologies used, mHealth apps bring more functionality into the hands of users. In the health context, mHealth apps play an important role in providing information and services to patients, offering health ca...

Descripción completa

Detalles Bibliográficos
Autores principales: Müthing, Jannis, Brüngel, Raphael, Friedrich, Christoph M
Formato: Online Artículo Texto
Lenguaje:English
Publicado: JMIR Publications 2019
Materias:
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6364205/
https://www.ncbi.nlm.nih.gov/pubmed/30672738
http://dx.doi.org/10.2196/jmir.9818
_version_ 1783393222913949696
author Müthing, Jannis
Brüngel, Raphael
Friedrich, Christoph M
author_facet Müthing, Jannis
Brüngel, Raphael
Friedrich, Christoph M
author_sort Müthing, Jannis
collection PubMed
description BACKGROUND: The importance of mobile health (mHealth) apps is growing. Independent of the technologies used, mHealth apps bring more functionality into the hands of users. In the health context, mHealth apps play an important role in providing information and services to patients, offering health care professionals ways to monitor vital parameters or consult patients remotely. The importance of confidentiality in health care and the opaqueness of transport security in apps make the latter an important research subject. OBJECTIVE: This study aimed to (1) identify relevant security concerns on the server side of mHealth apps, (2) test a subset of mHealth apps regarding their vulnerability to those concerns, and (3) compare the servers used by mHealth apps with servers used in all domains. METHODS: Server security characteristics relevant to the security of mHealth apps were assessed, presented, and discussed. To evaluate servers, appropriate tools were selected. Apps from the Android and iOS app stores were selected and tested, and the results for functional and other backend servers were evaluated. RESULTS: The 60 apps tested communicate with 823 servers. Of these, 291 were categorized as functional backend servers, and 44 (44/291, 15.1%) of these received a rating below the A range (A+, A, and A−) by Qualys SSL Labs. A chi-square test was conducted against the number of servers receiving such ratings from SSL Pulse by Qualys SSL Labs. It was found that the tested servers from mHealth apps received significantly fewer ratings below the A range (P<.001). The internationally available apps from the test set performed significantly better than those only available in the German stores (alpha=.05; P=.03). Of the 60 apps, 28 (28/60, 47%) were found using at least one functional backend server that received a rating below the A range from Qualys SSL Labs, endangering confidentiality, authenticity, and integrity of the data displayed. The number of apps that used at least one entirely unsecured connection was 20 (20/60, 33%) when communicating with functional backend servers. It was also found that a majority of apps used advertising, tracking, or external content provider servers. When looking at all nonfunctional backend servers, 48 (48/60, 80%) apps used at least one server that received a rating below the A range. CONCLUSIONS: The results show that although servers in the mHealth domain perform significantly better regarding their security, there are still problems with the configuration of some. The most severe problems observed can expose patient communication with health care professionals, be exploited to display false or harmful information, or used to send data to an app facilitating further damage on the device. Following the recommendations for mHealth app developers, the most regularly observed security issues can be avoided or mitigated.
format Online
Article
Text
id pubmed-6364205
institution National Center for Biotechnology Information
language English
publishDate 2019
publisher JMIR Publications
record_format MEDLINE/PubMed
spelling pubmed-63642052019-02-27 Server-Focused Security Assessment of Mobile Health Apps for Popular Mobile Platforms Müthing, Jannis Brüngel, Raphael Friedrich, Christoph M J Med Internet Res Original Paper BACKGROUND: The importance of mobile health (mHealth) apps is growing. Independent of the technologies used, mHealth apps bring more functionality into the hands of users. In the health context, mHealth apps play an important role in providing information and services to patients, offering health care professionals ways to monitor vital parameters or consult patients remotely. The importance of confidentiality in health care and the opaqueness of transport security in apps make the latter an important research subject. OBJECTIVE: This study aimed to (1) identify relevant security concerns on the server side of mHealth apps, (2) test a subset of mHealth apps regarding their vulnerability to those concerns, and (3) compare the servers used by mHealth apps with servers used in all domains. METHODS: Server security characteristics relevant to the security of mHealth apps were assessed, presented, and discussed. To evaluate servers, appropriate tools were selected. Apps from the Android and iOS app stores were selected and tested, and the results for functional and other backend servers were evaluated. RESULTS: The 60 apps tested communicate with 823 servers. Of these, 291 were categorized as functional backend servers, and 44 (44/291, 15.1%) of these received a rating below the A range (A+, A, and A−) by Qualys SSL Labs. A chi-square test was conducted against the number of servers receiving such ratings from SSL Pulse by Qualys SSL Labs. It was found that the tested servers from mHealth apps received significantly fewer ratings below the A range (P<.001). The internationally available apps from the test set performed significantly better than those only available in the German stores (alpha=.05; P=.03). Of the 60 apps, 28 (28/60, 47%) were found using at least one functional backend server that received a rating below the A range from Qualys SSL Labs, endangering confidentiality, authenticity, and integrity of the data displayed. The number of apps that used at least one entirely unsecured connection was 20 (20/60, 33%) when communicating with functional backend servers. It was also found that a majority of apps used advertising, tracking, or external content provider servers. When looking at all nonfunctional backend servers, 48 (48/60, 80%) apps used at least one server that received a rating below the A range. CONCLUSIONS: The results show that although servers in the mHealth domain perform significantly better regarding their security, there are still problems with the configuration of some. The most severe problems observed can expose patient communication with health care professionals, be exploited to display false or harmful information, or used to send data to an app facilitating further damage on the device. Following the recommendations for mHealth app developers, the most regularly observed security issues can be avoided or mitigated. JMIR Publications 2019-01-23 /pmc/articles/PMC6364205/ /pubmed/30672738 http://dx.doi.org/10.2196/jmir.9818 Text en ©Jannis Müthing, Raphael Brüngel, Christoph M Friedrich. Originally published in the Journal of Medical Internet Research (http://www.jmir.org), 23.01.2019. https://creativecommons.org/licenses/by/4.0/This is an open-access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in the Journal of Medical Internet Research, is properly cited. The complete bibliographic information, a link to the original publication on http://www.jmir.org/, as well as this copyright and license information must be included.
spellingShingle Original Paper
Müthing, Jannis
Brüngel, Raphael
Friedrich, Christoph M
Server-Focused Security Assessment of Mobile Health Apps for Popular Mobile Platforms
title Server-Focused Security Assessment of Mobile Health Apps for Popular Mobile Platforms
title_full Server-Focused Security Assessment of Mobile Health Apps for Popular Mobile Platforms
title_fullStr Server-Focused Security Assessment of Mobile Health Apps for Popular Mobile Platforms
title_full_unstemmed Server-Focused Security Assessment of Mobile Health Apps for Popular Mobile Platforms
title_short Server-Focused Security Assessment of Mobile Health Apps for Popular Mobile Platforms
title_sort server-focused security assessment of mobile health apps for popular mobile platforms
topic Original Paper
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6364205/
https://www.ncbi.nlm.nih.gov/pubmed/30672738
http://dx.doi.org/10.2196/jmir.9818
work_keys_str_mv AT muthingjannis serverfocusedsecurityassessmentofmobilehealthappsforpopularmobileplatforms
AT brungelraphael serverfocusedsecurityassessmentofmobilehealthappsforpopularmobileplatforms
AT friedrichchristophm serverfocusedsecurityassessmentofmobilehealthappsforpopularmobileplatforms