Mobile Intelligence Case Study: General vs Medical apps

In this post, we share some of our findings from submitted apps.  This data reflects our common vision on mobile app vulnerabilities and risks.  On the one hand, malware is not the only threat vector in the mobile space. This is particularly true for sandbox architecture platforms such as Android and iOS, where it is more difficult for malware to penetrate the layers of app store acceptance criteria and blacklisting.  On the other hand, app developers build their apps with the desire to rapidly publish to the market while the app’s security life cycle may not be a priority.

As we have observed, there are over 10 million apps already in the Android ecosystem; we envision that apps are the weakest link in mobile security. In our preliminary study of the submitted apps, we considered two sets of data. The first set, which we refer to as the “general cases”, are of a collection of 433 apps with diverse functions. The second set was a specialized sample set of 22 apps ( moviebox is one 22 apps) that focused on medical use, which we refer to as the “medical cases”.

We obtained the top 6 risk types and top 5 OWASP categories that dominated the discovered risks. We also computed the average number of risks per app, as shown in “Table 1 – Results” (below).

The most striking observation is our case study on the medical apps. One may think that medical apps would be more secure because they involve more personal data and privacy, thus more scrutiny by developers.  Our data shows the opposite. These apps tend to be riskier than the general apps. A medical app is detected with 4.64 risks on average which is 1.65 more risks than a general app! A medical app is also detected with average of 0.68 high risks per app, which is more than twice that of the general app.

Table 1 - Results
Case studied General Medical
Number of samples 433 22
Percentage of samples with risks 56% 86%
Top 6 risk names and their percentages Backup Flag Enabled (14%) Weak Random Number Generator (14%)
Start App with Hidden Intent (13%) Backup Flag Enabled (14%)
Broken Cryptographic Hash Function (10%) Start App with Hidden Intent (10%)
Weak Random Number Generator (10%) Broken Cryptographic Hash Function (10%)
Android Logcat Security (7%) WebView Components Vulnerabilities (9%)
WebView Components Vulnerabilities (7%) Android Logcat Security (8%)
Top 5 OWASP and their percentages M8: Security Decisions Via Untrusted Inputs (33%) M6: Broken Cryptography (27%)
M6: Broken Cryptography (23%) M8: Security Decisions Via Untrusted Inputs (26%)
M9: Improper Session Handling (13%) M7: Client Side Injection (15%)
M7: Client Side Injection (12%) M9: Improper Session Handling (11%)
M4: Unintended Data Leakage (10%) M4: Unintended Data Leakage (9%)
Number of total risks per app 2.81 4.64
Number of high risks per app 0.33 0.68
Number of medium risks per app 1.42 2.45

Our observations from Table 1 are summarized as follows:

o     Out of the 433 general apps submitted, 56% had at least one risk
o     Out of the 22 medical apps submitted, 86% had at least one risk
o     For both the general and medical cases, the top 5 OWASP categories are:

▪      M8: Security Decisions Via Untrusted Inputs
▪      M6: Broken Cryptography
▪      M9: Improper Session Handling
▪      M7: Client Side Injection
▪      M4: Unintended Data Leakage

 

The OWASP distribution for both general and medical cases are as follows:

 

Risks and OWASP category breakdown

 

 

Scott, Song and 0XID team
Our mission: eliminating data breach from mobile and IoT app

 

Addendum

Names of the 22 Medical Apps
Name
GoodRx Drug Prices and Coupons
FollowMyHealth
MyChart
Period & Ovulation Tracker
Pregnancy +
Ear Spy: Super Hearing
1800CONTACTS App
CareZone
Drugs.com Medication Guide
Epocrates
Ovia Pregnancy Tracker
Blood Pressure (My Heart)
Feed Baby – Baby Tracker
Visual Anatomy Free
Pregnancy Test App prank
Diabetes Logbook by mySugr
Marijuana Strain Guide
Figure 1 – Medical Images
Medscape
AnatomyLearning – 3D Atlas
Drugs Dictionary
MyQuest