© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Mobile Apps & Connected Health Care:Managing 3rd-Party Mobile App Risk
Andrew Hoog | Founder | NowSecureNH-ISAC 2017 Third Party Risk Summit
November 2017
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
▪Andrew Hoog, NowSecure Founder • NowSecure Founder & Board Member• Literally wrote the books on mobile forensics & security• 2 patents for data recovery/forensics• Expert witness• Brief gov’t agencies & top banks on mobile security topics
WHO AM I?
Proud sponsor/supporter of:
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TWO VECTORS OF MOBILE APP RISK
CONNECTED CAREBYOD with BYOApps
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
THE STATE OF BYO IN HEALTH CARE
71% of hospitalsallow BYOD
63% of physiciansuse personal
devices for work(even if BYOD is prohibited)
41% of nursesuse personal
devices for work(even if BYOD is prohibited)
Source: Spoke’s Fifth Annual Mobility Strategies in Healthcare Survey: Results Revealed
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
AT THE TOP 25 LARGEST US HOSPITALS
Sources:;“Average number of apps installed by users in the United States in 2016, by device” Statista
24,823 Employees (devices) avg
89 Apps per device avg
2,200,000 Points of risk
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
NIST/NCCOE SECURING EHRON MOBILE DEVICES & APPS
“Health care providers increasingly use mobile devices to receive, store, process, and transmit patient clinical information. According to our own risk analysis, discussed here, and in the experience of many health care providers, mobile devices can present vulnerabilities in a health care organization’s networks.”
NIST Cybersecurity Practice Guide SP 1800-1b
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TYPES OF APPS IN CLINICAL ENVIRONMENTS
▪ Medical device control/monitoring▪ Clinical care - scheduling, EMR management▪ Medical Imaging - for viewing MRI, X-ray, etc.▪ Secure/compliant communications - voice, text, alerting▪ Reference - calculators, prescription/diagnostic information▪ Education - continuing medical education (CME), study materials▪ Consumer health - disease management, trackers, etc.▪ Other 3rd-party apps - games, social networking, etc.
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
WHAT IS THE MOBILE APP ATTACK SURFACE?
8
API BACKEND▪Platform vulnerabilities▪Server misconfiguration▪Cross-site scripting▪Cross-site request forgery ▪Cross origin resource sharing▪Brute force attacks▪Side channel attacks
▪SQL injection▪Privilege escalation▪Data dumping▪OS command execution▪Weak input validation▪Hypervisor attack▪VPN
DATA AT REST
▪Data caching▪Data stored in application directory
▪Decryption of keychain▪Data stored in log files▪Data cached in memory/RAM▪Data stored in SD card
▪OS data caching▪Passwords & data accessible▪No/Weak encryption▪TEE/Secure Enclave Processor▪Side channel leak▪SQLite database▪Emulator variance
DATA IN MOTION
▪Wi-Fi (no/weak encryption)▪Rogue access point▪Packet sniffing▪Man-in-the-middle▪Session hijacking▪DNS poisoning▪TLS Downgrade▪Fake TLS certificate▪Improper TLS validation
▪HTTP Proxies▪VPNs▪Weak/No Local authentication▪App transport security▪Transmitted to insecure server▪ Zip files in transit▪Cookie “httpOnly” flag▪Cookie “secure” flag
▪GPS spoofing▪Buffer overflow▪allowBackup Flag▪allowDebug Flag▪Code Obfuscation▪Configuration manipulation▪Escalated privileges
▪URL schemes▪GPS spoofing▪Integrity/tampering/repacking▪Side channel attacks▪App signing key unprotected▪JSON-RPC▪Automatic Reference Counting
CODE FUNCTIONALITY
▪Android rooting/iOS jailbreak▪User-initiated code▪Confused deputy attack▪Multimedia/file format parsers▪Insecure 3rd party libraries▪World Writable Files▪World Writable Executables
▪Dynamic runtime injection▪Unintended permissions▪UI overlay/pin stealing▪Intent hijacking▪Zip directory traversal▪Clipboard data▪World Readable Files
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
HOW SECURE ARE MOBILE APPS IN GENERAL?
more likely to leak account credentials
Business apps:
3X 60% oforgs
report an insecuremobile app contributingto a breach
50% ofAndroid apps
dynamically load code missed by static analysis
1% ofAndroid apps
use Google SafetyNet Attestation API properly
35%transmit dataun-encrypted
of apps25%
have at least 1high risk flaw
of apps
Source: NowSecure Software and Research Data 2016-2017, Ponemon Institute 2017 Study on Mobile & IoT App Security
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
WHO IS RESPONSIBLE FOR 3rd PARTY APP RISK?
10
• Evaluate mobile technology • Establish mobile security and
architecture requirements• Test for vulnerabilities and ensure
security, privacy, compliance
SECURITY & ARCHITECTURE• Centrally coordinate & enable business
mobilization • Support BYOD, COPE & Enterprise
managed devices & apps• Easy, quick vetting of 3rd party mobile
apps to ensure meet policy and governance requirements
MOBILE CENTER OF EXCELLENCE• Establish risk-based guidelines for
mobile app security, compliance and privacy
• Ensure governance and controls in place for all mobile apps
• Track and report on industry compliance and privacy mandates
COMPLIANCE & RISK
3RD-PARTY MOBILE APP RISK IN HEALTH CARE
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
STATE OF MOBILE APP SECURITY IN HEALTH CARE
▪ Good news:Many developers do the right thing
▪ Bad news:Too many risks still persist
▪ Our Industry Assessment:• Leveraged advanced mobile app vetting technology
to identify security, compliance, and privacy gaps in Android and iOS apps using industry standard CVSS scores
• A number of apps had no severe risks• Numerous apps had significant security risks
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
iOS: CLINICAL COMMUNICATIONS APPS
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
iOS: UK MEDICAL REFERENCE APP
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
ANDROID: INSERTABLE CARDIAC MONITOR(ICM) APP
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
iOS: ELECTROCARDIOGRAM APP
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
ANDROID: PATIENT EMR APP
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
PATH TO MITIGATING 3RD-PARTY APP RISK
● Use 3rd-Party mobile app vetting for existing approved apps already deployed to scope current risk profile
● Identify appropriate mobile app remediations, reconfigurations or removals for existing 3rd-Party apps
● Adjust policiesas needed
● Leverage MDM to fully inventory all mobile apps across enterprise mobile devices
● Use 3rd-Party mobile app vetting across all apps from MDM inventory to scope full risk profile
● Identify & take appropriate remediations & actions
● Continuously monitor all approved 3rd-Party apps for risky updates
● Establish policy & process to take new 3rd-Party mobile app requests and vet app requests before deployment
● Integrate 3rd-Party mobile app vetting into EMM automation, black/whitelisting
1 2 3
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
NEED TO ADDRESS BOTH VECTORS OFMOBILE APP RISK
CONNECTED CAREBYOD with BYOApps
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
THANK YOU - RESOURCES
Blog: HIPAA-compliant mobile apps
bit.ly/2zZpoQz
Blog: Mitigating MITM risks in mHealth apps
bit.ly/2jfiaxo
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
THANK YOU!