For scientists and researchers, optimising time in a laboratory nowadays plays a key role in processing and delivering results. There are applications that have specialised capabilities for R&D laboratories, process development and manufacturing laboratories or bioanalytical laboratories. This type of software in many cases is in charge of pathological data processing, manufacturing processes, sample management, personal data, clinical results, chemical processes, “secret” experiment formulas, electronic data exchange, etc. Therefore, this type of information is as attractive to cybercriminals as in any other industry today.
Laboratory Information Management System platforms, also known as LIS, are a type of software designed to improve the productivity and efficiency of today’s laboratories. These applications allow tracking of data associated with samples, experiments, laboratory workflows and instruments.
The architecture and deployment of this type of platforms is present in several models. Among the main ones are ‘thick-client’ and ‘thin-client’, clients that run from any workstation, web environments, mobile applications and Cloud and SaaS environments, which allow the users of these systems to connect to the servers where the core LIMS functionalities and data are hosted. In this article we will take a closer look at the security status of the mobile applications that are part of the integrated LIMS platform provided by the manufacturers.
Analysing LIMS Mobile Applications
We selected the latest version of 24 applications (iOS/Android) where users can interact with a LIMS architecture deployed in an organisation and execute the corresponding tasks. Within this sample of applications, we focused on analysing in a general way only the mobile application. For this review we used an Android device (rooted), iPhone (non-jailbrake) and our platforms mASAPP (continuous security analysis of mobile applications) and Tacyt (mobile threat cyber-intelligence tool).
The main security controls of the OWASP Mobile Top 10 were considered for this review. They represent only an overview of a number of tests that could be performed in detail and exhaustively. The results showed that, although security controls have been implemented for the development of such applications, several weaknesses were found that should be corrected and above all continuous improvement in the development process.
The vulnerabilities found in accordance with the assessed controls are listed in the following summary matrix:
We would like to highlight several weaknesses that we found in easily readable structures between XML, API Keys or configuration files, reflecting bad practice in terms of insecure local storage.
While a large part of these applications establish secure communication channels (HTTPS) with their backends as shown in our table of results, some unencrypted HTTP channels, applications without verifying certificate authenticity, self-signed certificates or applying methods to improve security in this regard are still in operation.
Likewise, among insecure application programming practices, we continue to observe the lack of code obfuscation features (depersonalisation) to hinder the reversing process, removing obsolete or test files, not using deprecated functions or APIs, not using debug or logging functions in productive applications or very descriptive comments in the code. These features are included in most secure development practice guides.
Mobile applications have benefited the monitoring and automation of laboratory processes, where functionalities such as sample location and tracking, inventories, integration with instruments and other platforms, workflow optimisation and many more can be highlighted. However, we must not ignore the challenges associated with security controls, which in this type of applications require careful consideration by equipment designers, software and control system developers, as well as a good awareness of the users who use them.
The businesses of the so-called ‘bioeconomy’ companies and their laboratories of the future are facing the IT risks associated with security flaws that can be exploited by cybercriminals to profit from the cybercrime industry. On the other side of the equation are researchers, organisations, manufacturers and the community trying to bring security to this ‘new’ ecosystem.