Wearables and data security

Alan Bavosa at Appdome explains the importance of preventing wearable health apps from compromising customers’ data security

 

Wearable devices, such as smart watches, are becoming increasingly popular. To meet demand, brands are stepping up production and launching them alongside smartphones, so by 2024, it is predicted that over 440 million wearables will be sent out to customers annually. 

 

Key to their rising adoption and popularity is the well-rounded and easy-to-digest snapshot they provide on customers’ personal health data. They deliver this through their use of sensors that can pick up data from users’ bodies – like heart rate or step count – and transmit it to wearable health apps.

 

As adoption of wearables continues to grow, this makes them an attractive target of hackers and fraudsters, in part due to the immense amount of highly personalized data that they handle. For example, many wearable apps are designed for health and fitness tracking. They may collect sensitive health-related data such as heart rate, blood pressure, sleep patterns, calories burned, and activity levels.

 

This information may be considered personally identifiable information (PII) or personal health information (PHI) and could be subject to strict privacy regulations or health industry regulations such as HIPAA. 

 

Wearable apps also include location data, such as GPS or other location-tracking technologies to provide services like mapping, navigation, or activity tracking. Location data can reveal a person’s movements and habits, making it sensitive and potentially privacy-invading if mishandled.

• Biometric data: Some wearables, such as smartwatches or fitness bands, incorporate biometric sensors like fingerprint scanners, heart rate monitors, or electrocardiograms (ECG). These sensors collect unique physiological data, which is considered extremely sensitive and can be used for authentication or health monitoring purposes.
•  User profiles: Wearable apps may store user profiles that include personally identifiable information (PII) like names, contact details, email addresses, and usernames, and there would also be artifacts of personal data stored in places like app preferences as plain text XML strings. This information is highly valuable to bad actors.  

Encrypt data to comply with privacy laws

To shore up wearable health app security, developers should consider using data encryption to protect the data stored on the device, as well as data in transit, as data moves between APIs and across public networks.

 

In addition, wearable apps often store sensitive data within the application code or as text-based strings, so it is also important to encrypt data beyond the application sandbox, including keys, secrets, tokens, URLs, and payloads – stay secure even if a hacker tries to intercept it. This is essential for compliance with relevant privacy laws. For example, in the UK, patient data must be protected under the Data Protection Act (DPA). Companies can be hit with significant financial fines if they do not comply with this legal framework.

 

In addition, to suffering immense reputational damage that can result in the loss of customers and further economic repercussions to the business. 

   

Secure communication between apps and infrastructure 

Hackers also often attempt to take advantage of the communication between the wearable device/app and the server infrastructure that the app connects to. There are many different tools, techniques and methods hackers use to compromise mobile data as it travels across a network or the public internet.

 

 Some of the most common threats to mobile data in transit are Man-in-the-middle (MitM) attacks, malicious proxies, forged digital certificates, fake Wi-Fi, session hijacking or session replay attacks, or exploiting weak or outdated encryption methods or algorithms, and much more. This can pose real-world dangers as it can be used to falsify crucial health data, which can prove to be life-threatening.

 

Reassuringly, there are certain precautions developers can take to secure the channel of communication between the mobile app and the mobile backend. 

 

It all starts with ensuring that SSL/TLS handshake is established correctly, as this is likely to be the first place an attacker will try to insert themselves to intercept or hijack the session before the secure channel is established.

 

To prevent such an attack will require multiple security defenses, such as SSL certificate validation and TLS enforcement might not be a bad idea, to ensure that a secure version of TLS is used to establish the secure connection. If a stronger security posture is required, then developers may want to implement certificate pinning, which would ensure that the app only connects to hosts/servers that are known to be trusted.

 

And of course, you will want to ensure that any key material or certificate info is obfuscated and stored securely inside the app using methods such as code obfuscation. By encrypting data developers can prevent any unauthorized entities from accessing private data.  

 

Protect wearables against malware

In addition to encryption, wearable health apps are also susceptible to mobile malware and Trojans, which mobile wearable users may unknowingly download or encounter via numerous channels, such as fake apps or clones, phishing links, disreputable app stores.

 

Today’s modern malware use a wide variety of highly sophisticated techniques to trick mobile users into performing harmful actions or revealing sensitive data. These attack techniques range from tricking users into approving dangerous or highly privileged mobile app permissions to abusing OS services like Accessibility Services, which can be used to monitor user activity, harvest data, intercept or inject keystrokes and much more.

 

Attackers of apps that share personal data have become fond of overlay attacks as well, which is an attack type in which the user is tricked into performing harmful actions or revealing sensitive data after interacting with malware that intentionally covers part of the users’ screen with a malicious overlay. Overlays may also use some form of masquerading on the part of malware apps or Trojans.

 

Introduce data loss prevention tools

Beyond protecting customers from hackers, companies should also put measures in place to protect users from themselves as they can often prove to be the weak link that allows their sensitive data to be misappropriated. For example, it is common for users to copy data from their app and paste it somewhere else, such as in a browser to look up more information.

 

People also take screenshots of their data for later use. However, there are many ways that sensitive information can leak from the app either inadvertently or via data theft or harvesting, especially if the device has existing malware resident on it. 

 

To combat data leakage developers could consider implementing copy/paste and screen recording preventions – making it harder for users to expose their data through sharing. Going a step further, developers could also consider preventing screen captures/screenshots/mirroring or screen recording. Implementing one or more of these defences will add further protection against data leakage.

 

And of course, it would be highly advisable to protect the mobile app against static and dynamic reverse engineering, which hackers typically perform to learn how a mobile app functions by decompiling and reading the source code directly, and/or by observing the app as it runs, using tools like debuggers and emulators.

 

To protect against such nefarious activities, developers should obfuscate native and non-native source code, libraries as well as the application’s logic, combined with several basic dynamic protections such as Anti-tampering, Anti-debugging, and preventing the app from being run on emulators or other powerful app players. 

 

Get ahead of hackers with automation 

By 2026, the wearable technology market is estimated to be worth $265.4 billion. As the market grows, so too do concerns surrounding its security. Hackers are recognising society’s growing dependence on wearable health apps and are attempting to cash in.  Protecting a mobile-first consumer is very different from protecting an online or web consumer. The attacks and threats are different, the delivery model is different, and the consumer expectation is higher.

 

To protect your mobile consumers and apps requires thinking and acting like a dev team, embracing agile systems that offer no-code delivery, threat intelligence, and automation to rapidly deliver protections directly inside Android & iOS apps all within the DevOps CI/CD pipeline and workflows.  

 

---

 

Alan Bavosa is VP Security Products at Appdome

 

Main image courtesy of iStockPhoto.com