UK NHS-backed health apps 'riddled with security flaws'

Official approval seems to mean very little these days

17 Reg comments Got Tips?

As if striking junior doctors weren’t enough, the UK's NHS also has technology worries, according to a study by app security firm Arxan.

All of the NHS-approved apps Arxan audited lacked binary protection against code tampering, and most also lacked adequate protection in the transport layer. Flaws also emerged in FDA-approved health apps in use in the US.

Arxan found at least two of the Open Web Application Security Project (OWASP) Mobile Top 10 Risks in 90 per cent of the 126 apps investigated. More than 80 per cent of the health apps tested that were approved by the US Food and Drug Administration (FDA) or the UK National Health Service (NHS) were also found to have at least two of the OWASP Mobile Top 10 Risks.

The findings are part of Arxan’s fifth Annual State of Application Security Report, which this year focused on healthcare and finance apps.

The upshot is that mobile health apps approved by regulatory/governing bodies are nearly as vulnerable as other mobile apps.

Insufficient transport layer protection and the absence of binary protection were the two most common classes of vulns that cropped up during Arxan’s study. The vulnerabilities could result in application code tampering, reverse-engineering, privacy violations, and data theft.

Binary protection shortcomings could result in privacy violations, theft of personal health information, and tampering, according to the security firm, which specialises in developing application protection and anti-tampering technologies.

Popular mobile health and finance apps from the US, UK, Germany, and Japan were put under the microscope as part of Arxan’s study ... which offers little comfort for fanbois. Audited iOS apps were at least as vulnerable as Android apps, it said.

More information on the study can be found on Arxan’s microsite here. A paper (PDF) focusing on the healthcare side of the study explains the methodology and findings of the audit, as well as the results of a related survey of consumer attitudes.

Whether or not apps failed against any of the OWASP Mobile Top 10 Risks was tested by Arxan using tools from its partner Mi3. The process was semi-automated, using a combination of automated software tests and manual evaluations in each case. ®


Biting the hand that feeds IT © 1998–2020