Mobile Health App and API Security: Common FlawsEx-Black Hat Hacker Alissa Knight Discusses New Research Findings
Broken object level authorization, or BOLA, vulnerabilities are among the most common and worrisome weaknesses contained in dozens of mobile health applications used by patients and clinicians, posing security and privacy risks to health information, says cybersecurity researcher Alissa Knight.
Knight - an ex-Black Hat hacker - recently examined 30 mobile health apps and application programming interfaces with the cooperation of multiple companies providing that none of the findings were publicly linked with their organizations. The research study, All That We Let In: Hacking 30 Mobile Apps and APIs, was sponsored by security vendor Approov.
BOLA vulnerabilities enable an adversary to substitute the identity of a resource with the ID of another, she says in an interview with Information Security Media Group. When the object ID can be directly called in the URI, it opens the endpoint up to ID enumeration that gives an adversary the ability to read objects that don’t belong to them.
In mobile health apps, BOLA flaws can lead to unauthorized access to full patient records, including downloadable pathology lab results, X-ray images, bloodwork, allergies and personally identifiable information, she says.
"What was systemic across all the APIs that I tested was the ability to request data from other patients or clinicians," she says.
"I would log in with a clinician account and I would be assigned only certain patient records," she says. But by exploiting the BOLA flaw, "I then reached out and grabbed other patient records that didn't necessarily get assigned to my clinician log-in."
Similarly, when Knight logged in as a specific patient for a hospital's patient mobile app, "I was able to request not just my records, but the records of other patients that had checked into that hospital."
"This is not a problem with just one mobile app or API," she says. "It was across all the APIs that I tested."
In the interview (see audio link below photo), Knight also discusses:
- Details of how she conducted her research;
- Other common mobile health app and API security weaknesses identified during the study;
- Potential security concerns involving the Department of Health and Human Services' promotion of the Fast Healthcare Interoperability Resources (FHIR) and SMART interoperability standards for patients to use smartphone applications and API resources to access their digital health records;
- Steps to bolster the security of mobile apps and APIs.
Knight, who calls herself a recovering hacker, is an independent cybersecurity researcher and author. Her recent work includes assisting the Pentagon in securing the global Marine Corps network. In 2020, she authored a book about hacking connected cars and APIs.