论文信息 - A Generic Process to Identify Vulnerabilities and Design Weaknesses in iOS Healthcare Apps

A Generic Process to Identify Vulnerabilities and Design Weaknesses in iOS Healthcare Apps

Due to the capability of mobile applications (or apps, as they are commonly known) to access sensitive data and personally identifiable information (PII) such as medical history and electronic health transactions, they present a genuine security and privacy threat to their users. In this paper, we propose a generic process to identify vulnerabilities and design weaknesses in apps for iOS devices. We validate our process with a widely used Australian Government Healthcare app and revealed previously unknown / unpublished vulnerability that consequently exposes the user's sensitive data and PII stored on the device. We then propose several recommendations with the hope that similar structural mistakes can be avoided in future app design.

Kim-Kwang Raymond Choo | Christian D'Orazio | Christian D'Orazio

[1] Athanasios K. Tsakalidis,et al. easyHealthApps: e-Health Apps Dynamic Generation for Smartphones & Tablets , 2013, Journal of Medical Systems.

[2] Jae-Kwang Lee,et al. Development of Mobile Hybrid MedIntegraWeb App for Interoperation between u-RPMS and HIS , 2012, ICCSA.

[3] Joyce M Lee,et al. The Promise and Peril of Mobile Health Applications for Diabetes and Endocrinology , 2013, Pediatric diabetes.

[4] Donna S. Eng,et al. Mobile Health Applications for Diabetes and Endocrinology: Promise and Peril? , 2013 .

[5] Kim-Kwang Raymond Choo. Secure Key Establishment , 2008, Advances in Information Security.

[6] Richard Earnshaw. Procedure Call Standard for the ARM ® Architecture , 2006 .

[7] Kim-Kwang Raymond Choo,et al. iOS Anti-forensics: How Can We Securely Conceal, Delete and Insert Data? , 2014, 2014 47th Hawaii International Conference on System Sciences.

[8] John A. van der Poll,et al. 19th Americas Conference on Information Systems, AMCIS 2013 - Hyperconnected World: Anything, Anywhere, Anytime , 2013, AMCIS 2013.

[9] Upkar Varshney,et al. Investigating Privacy and Security Challenges of mHealth Applications , 2013, AMCIS.

[10] Colin Boyd,et al. Security of Two-Party Identity-Based Key Agreement , 2005, Mycrypt.