By Pavel Novik, QA head of department, a1qa.
Mobile health apps have raised the healthcare industry to a new level. Now consumers have an opportunity to track their blood pressure, pulse rate, input their symptoms that will then be analyzed by the ML app on the go. Without visiting the doctor’s office, we can now monitor our health condition and even connect with the provider by sending an in-app message and getting the consultation within hours.
No doubt, mobile health apps are now being developed at a high pace, however, not without dangers. Probably the most common cause of worry is how the software products approach security and data privacy issues.
With no opportunities to seal users’ health records, can we be sure that the confidential information isn’t exposed?
7 tips to help deliver a secure mHealth app
- Collect only the needed data
The main tip is: don’t collect the data you don’t need. Collect the information with the clear purpose and regularly dispose of the data you no longer need.
- Check the legal regulations (GDPR, HIPAA, COPPA, etc.)
Check the legal regulations your app is subject to. It is important that the app is developed in compliance with security and privacy requirements defined by the GDPR that outlines the procedures of handling EU citizens data, HIPAA and COPPA (a new child-oriented edition of which will come into force in 2020) in the US. According to all this, users, for example, have a right to ask you to delete any data you’re storing or explain the reason what you need this or that piece of data for.
- Make sure users’ data is not shared with any third parties
Ascertain that you don’t share the data of your users with any third parties, e.g. social media companies or advertising agencies. Enhancing user experience and monetization are the natural goals of any app developer but be careful with this. Recently a number of mHealth apps have been accused of sharing user records with Facebook. You don’t want to be among them, right?
- Send push notification without confidential data
If you send push notifications, ensure they don’t include confidential health data.
- Protect the app code
Different vulnerabilities may exist in the source code and may be caused by the developers’ error or lack of code testing. What can be done about this? Protect the code with encryption and run constant code scanning.
- Run security and penetration testing
Proper mobile app security and pentesting will include the following stages.
- Preparation – the testing team gets information about the software product and possible events that may lead to its successful exploitation as well as prepares test documentation.
- Evaluation – the QA specialists evaluate the current security level of the app and recognize the potential vulnerabilities.
- Exploitation – security test engineers act as hackers trying to make use of the discovered bottlenecks.
- Reporting – the team presents the results to the stakeholders and gives recommendations on how the security level may be improved.
Don’t forget about performance and UX!
While running tests and improving the security level of your software product, don’t forget about file size, performance, runtime memory, battery usage, Internet connection. You definitely want your app to be secure but not at the cost of user experience and performance.
The professional testing team can go beyond these four stages and can evaluate your company’s infrastructure security that is made up of office equipment, wireless networks, and VoIP security levels.
By implementing social engineering techniques, the QA professionals will also assess your personnel behavior to make sure they don’t cause any information leakages – deliberately or with no intention.
On the final note
Your app can be a valuable solution in the market. It can help you make a fortune and improve the health of millions. However, without proper security measures taken and the needed level of transparency, there’s a high chance it can be sooner or later criticized by the community and get the attention you don’t want.
To prevent this scenario, follow the steps we’ve outlined and dole out some portion of your budget to address the team of security experts who will detect critical vulnerabilities in your app.