A recent article in Internet Retailer notes that US consumers will make $18.2 billion in purchases on their smartphones this year, an increase of 143% over 2011. Currently, 58% of Americans own a smartphone and those numbers are on the increase and show no signs of slowing anytime soon.
As health care companies react to the rise of the mobile device, and as a sequel to my previous column on this subject, many are building health, wellness, exercise and dietary tracking apps for their patients or recommending apps by third party vendors. These can be great tools to motivate your patients and help them achieve their fitness goals, but you need to understand the security risks apps represent.
If you're recommending an app, you need to make sure it's undergone rigorous security testing. If you're building your own app, you need to integrate security testing into your development cycle. Failing to protect your patients can result in real-world costs from loss of patient trust and loss of business.
Yet as our research has discovered, more than 60% of apps have security gaps that put users at risk. Inherent platform vulnerabilities and social engineering continue to pose major opportunities for cyber thieves and thus significant challenges for those looking protect user data.
Because of the risks built in to so many third-party mobile apps, we recommend making your own native apps whenever possible. This option doesn't suit every health care operation, but there are now a number of companies like Sencha or Appcelerator that can provide the basic framework for creating customizable apps for your practice.
These services can greatly improve your speed to market without a heavy investment in resources or technology -- but using them won't necessarily give you an app with the level of security you need to offer it to your patients with confidence.
You need to include security testing as an integral part of your do-it-yourself app building process rather than as an afterthought. A secure app should be tested for resistance to man-in-the-middle attacks and SSL Proxy attacks. You need to know how your app is storing sensitive data, and whether data is being encrypted when transmitted.
You need to test the strength and security of your user/password authentication methods and security enforcement. Performing your own security audit may sound daunting, but it's a must if you're offering apps to your patients. And doing this kind of rigorous testing may be easier than you think.
We created viaLab as a comprehensive security suite designed to accelerate the identification and resolution of mobile app security and privacy issues. It performs data extraction to see how sensitive information is stored, capture and analyzes network traffic to detect encryption problems.
It also executes man-in-the-middle, SSL Proxy and other attacks to test app vulnerabilities. In addition, viaLab performs code analysis and examines an app's authentication methods. We also offer a free report detailing the best security practices for mobile app development.
This guide represents some of the wisdom we share with our clients and partners, and while the descriptions of attacks and security recommendations in this report are not exhaustive or perfect, if you follow them, your apps will be more secure than 60% of those offered through Apple's App store or Google Play.
Mobile apps can be a wonderful way to keep your patients engaged and help them monitor their health and wellness goals. But if they're using an unsecured app to do so, they may be putting sensitive data at risk, and you don't want to be the person who recommended the app that lead to their identity getting stolen.
Make sure the third-party apps you recommend or those you create yourself have undergone rigorous security testing.
About the Author
Andrew Hoog - The CEO and Co-founder of viaForensics (www.viaforensics.com) Andrew Hoog is a computer scientist and mobile forensics researcher. He has two patents pending, and is the author of two books on mobile forensics and security.
