m-Health applications are at the peak of popularity. The Covid-19 pandemic has made us use them actively. As a result, either patients or medical specialists have revealed the numerous benefits and opportunities provided by m-Health apps. However, every bean has its black. As numerous surveys have shown, a vast majority of mobile healthcare applications are extremely vulnerable when it comes to security issues. And what is interesting is that cybercriminals usually use APIs as the easiest way to access PHI and PII. API or application programming interface can be defined as an intermediary enabling applications to respond to each other. APIs provide developers with protocols, routines, and tools for data extraction and sharing in an accessible manner. An app can contain a whole range of APIs. Still, with stepped-up cyber attacks, API security has become a concern. As long as a refusal from API usage is not an option at all, there is a necessity to tighten security. So, stay tuned for more on the efficient ways to protect your healthcare apps from API attacks.
What is an API Attack?
As the name implies, an API attack is a cyber-attack that suggests using API as a loophole to access sensitive data in order to use it for malicious activities.
What are the API Security Risks for E-Health Apps?
As we have already mentioned API is a top choice when it comes to unauthorized healthcare data access. It is a sad truth that might be explained by numerous API vulnerabilities. In these terms, we can list a number of the main API security risks for healthcare applications:
Denial of Service (DoS) Attacks
A DoS attack is one of the most widely used among cybercriminals. The story behind it is to flood the bandwidth of a targetted application with numerous requests. Thus, the aim of a DoS attack is to overload app hardware by overcrowding it with multiple concurrent connections. Cybercriminals usually achieve this by submitting a vast amount of data in each request. That is why it is essential to impose certain restrictions on the number of requests or the volume of data.
Man in the Middle or MITM attack
In the process of a MITM attack, a hacker creepingly substitutes, changes, and intercepts messages and requests between an API endpoint and a client to get sensitive information.
API injection attack
An API injection attack suggests the embedment of malicious code like SQLi and XSS into an application with poorly developed and insecure source code which lets attackers consolidate control over the app and data.
In this case, hackers try to bypass or break the authentication methods used by an app. Cybercriminals compromise authentication tokens or use implementation flaws to take in authorized users’ identities temporarily or permanently if authentication mechanisms are implemented improperly.
This kind of API attack assumes an attempt to manipulate the parameters exchanged between a client and a server. The aim is to substitute application data, such as user credentials, product price, product quantity, etc.
Unencrypted communication is one of the threads that can be easily used by cybercriminals to obtain personal information. If a development team has failed to utilize Transport Layer Security (TLS), it may provide cybercriminals with free reign over an API and data that passes through it.
Object-level authorization is an access control mechanism usually implemented at the code level to make sure that particular users can access only those objects, i.e. information that they have the right to access. When a healthcare application has a BOLA vulnerability that is a Broken Object-Level Authorization, there is a high probability of sensitive data exposure to attackers. Using pretty simple scripting attackers can alter in the API call a resource ID of an authorized user with an ID of their own resource.
Key elements of e-Health apps mobile data protection
Prevention is always better than cure. That is why it is always better to build your e-health with security in mind. It is essential to understand from the outset which security risks exist and what can be done to avoid or at least mitigate them.
In these terms, we strongly recommend you establish security control and stick to some listed below time-proven security practices that are suitable for both iOS or Android applications:
As we have already stated security must be of primary importance and API security should not be an afterthought as well. Unsecured APIs can costs your business a lot at the end of the day. Considering the use of certain APIs, make sure that they are indeed secure and well managed.
Secure authentication and authorization methods
Poor authentication and authorization or even their absence are among the main problems of most publicly available APIs. As long as APIs provide an entry point to corporate databases, it’s crucial to thoroughly control access to them. Whenever it is reasonable, use solutions using solid authentication and authorization mechanisms such as MFA, 2FA, OAuth, and OpenID Connect.
The principle of least privilege (PoLP)
PoLP is one of the basic information security concepts according to which users gain the minimum access level needed to complete their job tasks. So the principle of least privilege is a part of efficient access control management that should be also applied to APIs.
When it comes to sensitive data, it is important to provide not only its secure storage but also transmission. Used in healthcare applications APIs exchange sensitive data like credentials, social security, banking information, health information, etc. in a regular manner. For this reason, it is important to ensure that API payload data is properly encrypted with the Transport Layer Security or TLS protocol.
Ensuring that secret data is not exposed
Since an API is considered to be a tool for developers, it more often than not contains keys, passwords, and other sensitive data that should be eliminated before API gets publicly available. Unfortunately, sometimes this step is left out of account. Therefore, it is strongly advised to introduce scanning tools into DevSecOps processes to avoid accidental exposure of confidential data.
Minimum data exposure
Most APIs tend to reveal far too much information, whether it comes to the volume of external data passing through an API or the API endpoints. This is usually the case whenever API passes the task of data filtering to the user interface instead of an endpoint. Ensure that APIs return just as much data as is needed to perform their functions.
Every input validation
It is of primary importance to never trigger any action without preliminary validation of input. This approach lets avoid indeed a lot of security issues. Everything that is accepted by a server must be carefully checked. Any additional content and the enormous data amounts should be rejected. In this context, it is useful to utilize JSON or XML schema validation to avoid any SQL injection or XML bomb.
Use quotas and throttling
Impose quotas on the number of API calls and monitor metrics from time to time. An increased number of API calls may indicate an attempt to abuse it. Besides, introduce throttling to protect an API from either spikes or Denial-of-Service attacks.
Use of tokens
It is a good practice to use tokens to establish reliable identities and have access to services and resources over complete control.
Any application should undergo testing, but for healthcare applications, it is a must. A wide range of the most diverse tests must be executed and particular attention must be paid to security testing covering API issues as well.
Ways to test API security of healthcare apps
It is pretty clear that API security testing plays an essential role in robust and reliable healthcare app development. Still, we would like to highlight its importance one more time.
Healthcare apps are a favorite aim of cybercriminals. Every year a great number of such apps fall prey to hackers and usually, APIs are the easiest access points for them. If hackers manage to breach API security, they can gain access to your corporate information and your patients’ sensitive data. It can have dire consequences:
Selling of your patients’ confidential data on the dark web.
A severe blow to your reputation.
A drastically rapid decrease in customer retention rate and revenue.
Lawsuits in case data have been stolen due to your negligence.
All these unpleasant things can be avoided with the help of proper API security testing. You should take it seriously and never ignore it otherwise it can cost you a fortune.
Below you can find a few ways to test API security that can come in handy:
Fuzz testing is deemed to be the easiest type of security testing as it implies the black box testing technique and is executed with the help of malformed data injection.
Fuzz testing does not suggest the use of advanced tools. What a tester should do is simply send an unexpected value to API and check whether it gets broken. For instance, if an API expects numbers in the inputs, values with negative numbers or zero can be sent.
Poorly coded applications heavily depend on certain formats, so fuzz testing is a good way to find possible security bugs in an application.
Command injection is a cyber-attack which aim is an arbitrary command execution on a host operating system. Command injection can be performed when an application passes unsafe user-supplied information (e.g. forms, cookies, HTTP headers) to a system shell. As a rule, command injection attacks are possible mostly due to improper input validation.
So a tester’s mission is to imitate cybercriminal’s actions and verify API vulnerabilities when it comes to operating system commands in API requests, SQL and API parameters, authentication on all endpoints, unhandled HTTP methods, etc.
API security testing should also check whether an app can withstand parameter tampering that can be done due to backend sanitizing errors and results in an opportunity to manipulate parameters sent in API requests. Therefore it makes sense to always test the forms with a type=”hidden” to make sure that the backend server correctly validates them.
Top API security testing tools securing e-Health apps
Today a myriad of API security testing tools are available on the market helping to automate testing and make it more efficient. The most useful and widely used tools in this class are listed below;
Initially designed for load testing execution, JMeter currently can be used for various purposes including API security testing. The tool enables automatic work with CSV files which simplifies the creation of unique values for test parameters.
Soap UI is an extremely widely used tool specially developed for API functional testing but security tests can be also run with its help. Soap UI is characterized by a unique ability to make things easier and complete testing processes faster.
Karate is an open-source API testing tool with a powerful set of versatile functionalities and options. It is considered to be a complete package of the testing framework.
Postman is one more popular API testing tool. An army of QA engineers opts for it as it supports multiple languages. Among other advantages are a rich interface, a great variety of options, and flexibility in terms of being used with both MAC and Windows.
Taurus is an open-sourced test automation tool enabling QA engineers to write in the YAML environment. The tool plays an important role in the process of penetration testing due to its smart integration between numerous options.
m-Health applications are extremely vulnerable and often serve as a target for cyber attacks. Used in m-Health apps APIs are often weak spots leveraged by hackers to gain access to valuable health data that costs a lot on the dark web. So in order to mitigate security risks and avoid plenty of problems, it is advised not to ignore the best security practices during healthcare app development and to ensure comprehensive API security testing.