With the pandemic, COVID-19 tracking applications have arrived to fight against this harmful virus that affects the entire world globally. Although, it can be a good tool in the fight against the coronavirus, it also has its negative side. The positive would be, without a doubt, the tracking of those people known or not, who have been in contact with that person. However, the negative is that important security flaws have been found in the vast majority of them.
In the annual security report carried out by the company Intertrust on the top 100 health applications for Android and iOS, it reveals that serious security flaws have been found. Thus in these apps they have encountered the following problems:
- Cryptographic vulnerabilities.
- Data leaks.
- Security breaches.
This means that both companies and governments that have these types of applications must take their security more seriously.
The Intertrust report on health apps
The report from this security company investigated 100 publicly available global mobile health apps. In the study, apps from different categories were selected, such as telehealth, medical devices, health trade and those for monitoring COVID. The objective of the study was to discover the most critical threats of health-related applications.
The general findings of the study suggest that the rush to try to stop the coronavirus, in many cases, has come at the expense of the security of mobile apps. According to Intertrust CTO Bill Horne, there has been a history of security vulnerabilities in the healthcare and medical space. He also added that the situation is improving a lot, but that there is much work to be done.
How these apps were tested
Intertrust’s Safety Report on Medical Mobile Applications was based on an audit that analyzed 100 iOS and Android applications from healthcare organizations around the world. The analysis of these apps was performed using a series of static application security tests (SAST). They also used dynamic application security testing (DAST) techniques based on OWASP (Open Web Application Security Project) mobile app security guidelines.
The results of this study revealed significant security gaps in mobile medical applications across the board. Therefore, there is a lot of work left for these apps to have good security.
85% of COVID-19 apps had security flaws
Thanks to the Intertrust security study, carried out with 100 apps from around the world, a series of conclusions could be drawn. One of the most important is that when we talk about COVID-19 monitoring applications, 85% filter data . Perhaps it is due to the haste to obtain results, but that does not mean that the institutions and governments that are behind them, fix their security problems.
Interestingly, 83% of detected high-level threats could have been addressed using application protection technologies such as code obfuscation, tampering detection, and white-box cryptography. Also, 71% of the medical apps tested have at least one high-level security flaw . We can rate them as high when it can be easily exploited and has the potential to cause significant loss or damage.
Also 91% of medical applications have misused or have weak encryption that puts them at risk of data exposure. If we focus on mobile operating systems, we have that 34% of Android applications and 28% of iOS applications are vulnerable to the extraction of encryption keys .
To finalize the statistics of this study, 60% of the Android apps tested stored information in SharedPreferences. This left the data unencrypted and could be easily readable and editable by cybercriminals. Therefore, we hope that companies, institutions and governments will take security work seriously. We want COVID-19 tracking apps and medical apps as secure as possible.