Skip to main page content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Access keys NCBI Homepage MyNCBI Homepage Main Content Main Navigation
. 2017 Oct 18;5(10):e147.
doi: 10.2196/mhealth.7791.

Client-Focused Security Assessment of mHealth Apps and Recommended Practices to Prevent or Mitigate Transport Security Issues

Jannis Müthing  1 Thomas Jäschke  1   2 Christoph M Friedrich  1
Affiliations

Client-Focused Security Assessment of mHealth Apps and Recommended Practices to Prevent or Mitigate Transport Security Issues

Jannis Müthing et al. JMIR Mhealth Uhealth. .

Abstract

Background: Mobile health (mHealth) apps show a growing importance for patients and health care professionals. Apps in this category are diverse. Some display important information (ie, drug interactions), whereas others help patients to keep track of their health. However, insufficient transport security can lead to confidentiality issues for patients and medical professionals, as well as safety issues regarding data integrity. mHealth apps should therefore deploy intensified vigilance to protect their data and integrity. This paper analyzes the state of security in mHealth apps.

Objective: The objectives of this study were as follows: (1) identification of relevant transport issues in mHealth apps, (2) development of a platform for test purposes, and (3) recommendation of practices to mitigate them.

Methods: Security characteristics relevant to the transport security of mHealth apps were assessed, presented, and discussed. These characteristics were used in the development of a prototypical platform facilitating streamlined tests of apps. For the tests, six lists of the 10 most downloaded free apps from three countries and two stores were selected. As some apps were part of these top 10 lists in more than one country, 53 unique apps were tested.

Results: Out of the 53 apps tested from three European App Stores for Android and iOS, 21/53 (40%) showed critical results. All 21 apps failed to guarantee the integrity of data displayed. A total of 18 apps leaked private data or were observable in a way that compromised confidentiality between apps and their servers; 17 apps used unprotected connections; and two apps failed to validate certificates correctly. None of the apps tested utilized certificate pinning. Many apps employed analytics or ad providers, undermining user privacy.

Conclusions: The tests show that many mHealth apps do not apply sufficient transport security measures. The most common security issue was the use of any kind of unprotected connection. Some apps used secure connections only for selected tasks, leaving all other traffic vulnerable.

Keywords: computer security; confidentiality; data security; health information technology; mobile apps; mobile health.

PubMed Disclaimer

Conflict of interest statement

Conflicts of Interest: None declared.

Figures

Figure 1
Figure 1
The Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS) protocol stacks. The topmost layers (transport layer security [TLS] and HTTP itself) are of most interest. The HTTP protocol contains any relevant data sent to or received from the server. Examples for HTTP data are written in blue. These data are readable by any third party when TLS is not used. When HTTP is used on top of TLS, these data are encrypted. Additionally, TLS ensures the integrity of the messages exchanged and the authenticity of the server and in some cases the clients.
Figure 2
Figure 2
BProxy example results output. The columns inform the user about observations made by the proxy: the Transport Layer Security (TLS) version used (TLS version), whether certificate pinning was used (Cert pinning used), whether cookies were observed (Session hijacking), whether authentication tokens were visible (Leaks credentials), if OpenAuthorization (OAuth) tokens were observed (OAuth), the server location for the domain visited (Location), the results for the certificate validation tests (SSL Test 1-4), if usernames or passwords were observed (Username/Password leak). More Information on BProxy’s output can be found on the Web.
See this image and copyright information in PMC

References

    1. Adibi S, editor. Mobile Health: A Technology Road Map. Cham, Switzerland: Springer International Publishing; 2015.
    1. Istepanian RS, Laxminarayan S, Pattichis CS, editors. M-Health: Emerging Mobile Health Systems. New York: Springer; 2006.
    1. Steinhubl SR, Muse ED, Topol EJ. Can mobile health technologies transform health care? J Am Med Assoc. 2013 Dec 11;310(22):2395–96. doi: 10.1001/jama.2013.281078. - DOI - PubMed
    1. Istepanian R, Jovanov E, Zhang YT. Introduction to the special section on m-Health: beyond seamless mobility and global wireless health-care connectivity. IEEE Trans Inf Technol Biomed. 2004 Dec;8(4):405–14. - PubMed
    1. Sunyaev A. Consumer facing health care systems. e Serv J. 2014 Jan;9(2):1–23. doi: 10.2979/eservicej.9.2.1. - DOI