Top 5 Security Weaknesses of Employee Wellness Mobile Apps
Employee wellness apps are extremely popular but are also often insecure. According to Tom Tovar, CEO and co-creator, Appdome, while there are many different aspects of these apps that could be hardened, there are five measures developers can take to protect against the most common attacks.
The number and variety of employee wellness apps have exploded over the past few years. In fact, by October 2021, there were more than 20,000, according to the European Connected Health Alliance. Both employees and employers find them beneficial because they provide an easy-to-use framework for improving both physical and mental health*. They also cover a dizzying array of activities, from mindfulness, mediation, physical fitness, nutrition, benefits admin, mental health, employee assistance, and eHealth, to telehealth and stress management.
It’s not uncommon for these apps to connect to a company’s benefits administration software or even their human capital management platforms, which makes them tempting targets for cybercriminals. After all, these apps may not only store sensitive and valuable information on employees, but they could also serve as a vector to attack a company’s HR systems. These systems hold a treasure trove of data that fraudsters can use in their schemes.
Unfortunately, studies show that many apps are perilously insecure. For example, a 2021 study in the U.S. National Library of Medicine evaluated 20,000 mobile health apps and found that almost half did not use encryption when communicating with back-end servers. It also found that almost a quarter of personal data, such as passwords and geolocation data, were insecurely transmitted.
These same researchers conducted a related study to understand why security was so poor in so many mHealth apps. In their survey of developers, they found that 63% lack security guidelines and regulations to follow as they implement security, and 56% lack security expertise altogether.
Clearly, this lack of security is a problem for employees and the companies who use them. But FTC regulation may soon require wellness apps to follow the same disclosure requirements for data breaches that are laid out in the Health Insurance Portability and Accountability Act (HIPAA). This means that a developer’s reputation could be harmed by more than just word of mouth should a breach occur.
Mobile app security is a complex endeavor, but developers can defend against the most common attacks with five fundamental security measures.
1. Encrypt all data stored inside the app
As noted above, employee wellness apps frequently collect personally identifiable information (PII), such as home addresses, social security numbers, dates of birth, and so on. That’s important to protect on its own, but apps often go beyond just this basic information to include information about medical providers, insurance plans, medications, insurance status and health conditions. Much of this is protected by HIPAA, so it’s especially important to make sure data stored inside the app is protected with strong encryption.
2. Protect data in transit for employee wellness apps
Mobile apps don’t exist as a single piece of software inside a mobile device. Nearly every mHealth app also connects to back-end services and software that provide much of the app’s functionality, including corporate HR systems, ERP platforms and other key pieces of the enterprise software stack. If data in transit is not properly protected, these enterprises risk additional exposure through a substantial increase in the attack surface. Simply put, these employee wellness mobile apps can act as a vector for a direct attack on critical systems, including credential stuffing, large-scale botnet attacks, and even ransomware.
Employee wellness apps must communicate and transmit data through an encrypted channel so that man-in-the-middle and other network-based attacks cannot intercept and alter information in transit. Additionally, developers must ensure that they have implemented proper measures to validate digital certificates to ensure that only authenticated communications are allowed.
See More: How HR Can Use AI To Boost Employee Wellbeing
3. Pass enterprise security tests without sacrificing employee privacy
This is an often-overlooked avenue for data exposure. Enterprise security teams now typically require all of their mobile work apps, including employee wellness apps, to pass rigorous code scans, penetration tests, and vulnerability assessments before they can be deployed for employee use. Passing these tests will require security capabilities such as debugger prevention, tamper prevention, and code obfuscation, which prevent hackers from reverse-engineering the app to develop stronger attacks, perpetrate fraud, or even create trojans that look and feel like the real thing but wreak all kinds of havoc. Additionally, it’s important to enable an app to detect when it’s running on a jailbroken or rooted device; when it does, hackers can gain elevated privileges that enable them to bypass security measures, alter the app, and reverse engineer it.
But it’s important to provide all of this protection without putting an agent or profile on the end user’s device because these agents can often overreach as they capture data, leaving it exposed.
4. Protect against mobile malware and automated attacks
Trojans and other forms of malware commonly attack wellness apps. In fact, there’s already been a case where trojans named “flubot” and “teabot” masqueraded at a popular wellness app called Uplift so it could attack other apps on employees’ devices. The fake app masquerades as a legitimate version of the wellness app Uplift. But in reality, the fake app contained malware whose goal was to target other apps on the user’s device using an overlay attack, where it uses Android Accessibility services, intercepts messages, records input via keylogging, and can ultimately take over the Android device via remote control.
Measures need to be implemented to detect automated attacks, overlays, and other malware tactics so that they shut down immediately to protect the end-user, data, and back-end systems to which the app connects.
5. Compliance with evolving regulations
Regulations such as HIPAA change regularly, so it’s important to implement systems within the development team, ideally automated, to ensure that your security measures comply with the current law.
Employee wellness apps are important tools for HR departments, and they can confer significant benefits to companies and individuals alike, improving mental and physical health. But they must be secure — the consequences of a breach are simply too great to risk. Thankfully, by applying these five foundational security measures, employee wellness mobile apps can be protected from the most common forms of attack.
What steps have you taken to protect your employee wellness apps against attacks? Let us know on Facebook, Twitter, and LinkedIn.
MORE ON EMPLOYEE WELLNESS
