Most FDA-Approved Apps Susceptible to Cyber Risks

Register now

More than 80 percent of mobile health apps approved by the Food and Drug Administrationhave tested positive for two critical security vulnerabilities, according to a vendor specializing in anti-tamper protections for software.

Arxan Technologies found that 84 percent of the mHealth apps tested did not adequately address at least two of the Open Web Application Security Project (OWASP) Mobile Top 10 Risks.

Most of the apps were vulnerable to application code tampering and reverse-engineering. However, 95 percent of the FDA-approved apps lacked binary protection, which could result in privacy violations, theft of personal health information, and tampering.

Besides compromising sensitive health information, the company warned that such vulnerabilities could lead to a health app being reprogrammed to deliver a lethal dose of medication.

“Cybersecurity of medical devices is a primary concern for the agency and we will continue our work with manufacturers and other stakeholders to ensure cybersecurity vulnerabilities are addressed throughout a device’s lifecycle—which includes design and maintenance—to keep patients safe and best protect the public health,” said the FDA in a written statement. “The FDA will continue ongoing efforts to ensure the safety and effectiveness of medical devices by helping increase cybersecurity awareness and encouraging manufacturers to proactively address cybersecurity concerns.”

Also See: 10 Ways to Secure Your Mobile Device

Arxan’s findings were part of its 5th Annual State of Application Security Report, which includes an analysis of 71 of the most popular mobile health apps from the U.S., U.K., Germany, and Japan—with 86 percent of those apps found vulnerable to at least two of the OWASP Mobile Top 10 Risks.

Health apps tested that were approved by the U.K. National Health Service did not fare much better than those approved by the FDA, as NHS did not adequately address at least two of the OWASP Mobile Top 10 Risks, and 100 percent of the apps were found to be lacking binary protection.

Arxan also did a survey of 238 mobile health app users, finding 78 percent believe their apps are “adequately secure,” and 50 percent are confident that “everything is being done” to protect their apps. At the same time, 76 percent said they would change apps if they knew they were not secure or if they knew alternative apps were more secure.

Patrick Kehoe, chief marketing officer of Arxan, warned that “in the rush to bring new apps to market, organizations tend to overlook critical security measures that are proving crucial to consumer loyalty.”

For reprint and licensing requests for this article, click here.