The pharmaceutical retail industry has been forced to act much faster in this race of the so-called “digital transformation” due to the global pandemic that society is currently going through. Therefore, pharmaceutical companies have had to use applications already deployed or they have had to deploy applications quickly. These applications are the same ones that move their business to manage prescriptions and orders for drugs, discounts, etc. and that make the use of their services attractive to customers in this period of high demand for drugs.
On the other hand, many governments around the world established the mandatory quarantine, which led people make greater use of digital media for the purchase of medicines, food, and other products. As a result, mobile applications and the infrastructure supporting them play a key role today and are likely to be introduced into our daily lives more than ever before.
What Are the Implications of This?
All the data generated through the customers are managed by your mobile device and the technological infrastructure (in-house or third-party) of the pharmaceutical companies. As you might expect, these applications could have vulnerabilities and pose a risk to customer data.
Many of these applications have direct communication with company devices and systems running internal processes, creating an additional attack vector for cybercriminals seeking this type of information.
For this analysis, we have selected the latest version of 29 applications (iOS/Android) from pharmaceutical companies where the user can access various services. These include, mainly, online purchase of drugs and management of medical prescriptions. The applications were randomly selected from pharmaceutical companies in South America, Spain, and the United States.
Within this set of application samples, we focused on analysing only the mobile application. Although weaknesses were discovered on the server side (backend), these were not included.
For this analysis, we employed an Android device (rooted), an iPhone 5S (no jailbreak) and our platforms mASAPP (continuous security analysis of mobile applications) and Tacyt (mobile threat cyberintelligence tool).
In our case, the results showed that, although security controls were implemented for the development of these types of applications, several weaknesses to be fixed were found and, above all, maintain continuous improvement in the development process. The vulnerabilities found according to the controls evaluated are in the following summary matrix:
Firstly, we wish to highlight several weaknesses that we found in easily-readable structures such as XML, API Keys, or configuration files. This denotes insecure local storage.
While a large number of these applications establish secure communication channels (HTTPS) with their backends, some unencrypted HTTP channels are still working, as showed in our results box. We also found applications that do not verify the authenticity of their certificates or self-signed certificates. This shows that security needs to be improved in this regard.
Also, among other unsecure application programming practices, we noted the lack of code obfuscation features (depersonalization) to make the reversing process harder in almost all Android applications.
A not-insignificant fact in this analysis is that 5 of the applications were found by Tacyt on unofficial markets. In many cases they were deployed by users who did not necessarily own the application (we do not know for what purpose).
We believe that these findings are a further contribution to the progress towards enhanced security and hope that they will help application developers from the pharmaceutical sector.
In this global health crisis, there have been many other cases where industries have had to transform abruptly many of their traditional services into digital services, with all the IT risks that this entails.
Managing the security and privacy of the user data of pharmaceutical applications is essential since these store private data of our health. It is important for companies within this sector to be aware that their customer data is exposed to computer risks and that, by performing appropriate controls and continuous evaluations, they should protect it −also keeping their technological infrastructure safe from potential cyberthreats.