Sunday, April 7, 2013

Back to jail

Jailbreaking iPhones and rooting Android phones is a fun, popular thing to do for mobile devices. You can extend the functionality of the device, customize, and do pretty much what you want.

It gives freedom to the user.


The issue here is, it also creates security vulnerabilities. Within the growing trend of Mobile Apps for healthcare, we are loading ePHI onto the mobile device. This can be extremely sensitive information which falls under HIPAA and HITECH.

Anyone who has read Hacking and Securing iOS Applications will instantly realize the problem.

A jailbroken/rooted device is wide open to security exploits. All the data can be seized, malware can be installed, key loggers can be installed, the secure keychain can be tapped. All of your data is open to a hacker.

If data is not software encrypted by a user derived key, if passwords and usernames aren't encrypted, if SSL certificates aren't pinned, you are wide open to exploitation. Further so, if your Apps run on jailbroken/rooted devices, anyone can write simple changes to the underlying OS code to exploit data at runtime.

In short: kill your mHealth Apps running on jailbroken devices - as soon as you can. If users are using jailbroken/rooted devices, leveraging HIPAA/HITECH as a reason for this policy is a simple "sell." It is in their best interest to not run mHealth Apps on rooted devices.