According to a recent report by mobile security firm Arxan Technology, the overwhelming majority of top paid and free apps for both iOS and Android have been hacked. And that prevalence of hacking extends to FDA-cleared health apps as well.

Researchers from Arxan evaluated the top 100 paid and free apps in both the Android and iOS markets; they also looked at the apps available in several key industries like financial services and healthcare. In particular, the looked to see if duplicate, unauthorized versions of the app could be found outside traditional app stores (i.e. Google Play and iTunes) indicating that the app had been compromised.

They found that 75% of free iOS apps and 80% of free Android apps have been hacked. And lest you think that’s just because they’re free, Arxan reported that 97% of the top 100 paid Android apps and 87% of the top 100 paid iOS apps have been hacked as well.


They also looked specifically at healthcare, evaluating the top 20 sensitive health apps in the Android and iOS market. Here, their findings diverge significantly. They found that 90% of the Android apps they looked at had been hacked; four of those apps were FDA cleared. However, none of the iOS apps they evaluated had been hacked. They did however note a striking rise in the past year in hacking of iOS apps in general and the emergence of novel vulnerabilities as well as malware targeting iOS.

That even FDA-cleared apps had been hacked should in particular give healthcare professionals some pause here as well. I recently discussed how FDA clearance is very different than approval; FDA clearance is generally based on information submitted by the company behind the product and does not mean the FDA did any sort of systematic evaluation itself. Arxan also pointed out the limitations of current FDA guidance on mobile apps that will hopefully be addressed in the future,

The Food and Drug Administration (FDA) in the U.S. applies its regulatory oversight to mobile medical apps that, if compromised, could pose a risk to a patient’s safety. The last guidance issued by the FDA was on Sep 25, 2013. However, the guidance does not address key vulnerabilities related to reverse-engineering, repackaging, republishing and runtime attacks. Corporations should acknowledge that regulations are “lagging hackers” and ensure that their apps are protected against binary attacks

Others have attempted to more systematically evaluate and certify apps as meeting strict security standards. Happtique in particular went so far as certifying 16 apps, taking over a year to do so, only to soon discover that several had significant security flaws. That program was indefinitely suspended.

These vulnerabilities pose risk to patients using health apps in several ways. It increases the risk of hackers targeting specific apps to steal sensitive data or gain unauthorized access to mobile devices. For Android users in particular, hacked versions of the apps can be placed in third-party app stores posing as the real app; unsuspecting patients could download the hacked app, exposing themselves to all kinds of risks.

In the report, Arxan makes several recommendations for security measures that app developers need to employ, particularly when dealing with sensitive information and functionality. And it’s important to know that apps aren’t alone in the digital health space in terms of major security vulnerabilities – many wearable health devices have significant security flaws as well.

For now, it’s important for individual consumers – clinicians as well as patients – to be aware of these risks and take steps to mitigate them. For example, don’t use the same password for your EMR or bank account that you do for your Fitbit or calorie tracker. For Anrdoid users, being cautious about where you download apps, particularly health apps, is important as well. And finally, we need to demand from health and medical app developers more of a focus on the security of their products.

Ed. Note: This article was update after publication to clarify the definition used in the report “hacked.”