nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Too much Appley WRISTJOBBERY could be BAD for your HealthKit

Security bods warn of potential wristy fatpipe abuse

By Kat Hall, 6 May 2015

Users of Apple's healthcare data app platform - intended to allow developers access to healthcare info collected via its wristy gizmo - could be left wide open to security exploits, infosec bods have warned.

The ResearchKit and HealthKit platform is intended to allow health researchers to aggregate information collected from iOS users who opt-in to contribute their personal medical data.

Tim Cook told CNBC that in the project's first 24 hours Apple had 11,000 people sign up for a study in cardiovascular disease through Stanford University's app. Apple has not disclosed the number of developers who will use the platform.

But security experts have said Apple has put too much onus on developers to provide the right level of security.

Cesar Cerrudo, CTO at security research IOActive Labs, said the current guidelines to developers do not provide security advice - and lack details on areas such as requiring proper data encryption.

He said one common security issue with apps were security exploits arising from open Wi-Fi networks.

"It will ultimately be down to the user as to whether they trust the application or not," he said.

One security expert, who asked not to be named, said that without a security assurance coordinating body, the level of app security will be a mixed bag.

He claimed Apple has previously had a consistent set of rules in what they will and will not allow to be used on the devices they sell.

"[Now] it is allowing developers to design apps without requiring security to be built in will result in flaws being discovered and exploited. This is where I think Apple might do well to help beyond simply providing the platform and backing off."

In its guidelines Apple said apps must comply with applicable law for each territory in which the App is made available.

Grounds for rejection from its platform include: the writing of false or inaccurate data into HealthKit, storing health information in iCloud, the sharing of user data via the HealthKit API with third parties.

The apps must secure approval from an independent ethics review board, said Apple.

Apple declined to comment to the Reg for this article. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing