Report

Methodology

It was decided to chose 5 most popular Russian applications on Google Play.

The list of applications is:

Doc+ - <500

Qapsula - <50

Доктор Рядом - <50

Вопрос к врачу - <50

Meadgreat - <10

As base for our Methodology we have chosen OWASP and OASAM

The following process of vulnerability analysis takes as reference the stages of current methodologies [1] [2], which are related to privacy user’s protection. 

vulnerability analysis grouped in 4 stages over applications on

Android OS, which may indicate the possible loss of user’s information, that could affect their privacy.

A. Autentecation

This stage validates the methods related to the login procedures of the application by analyzing: vulnerabilities generated in logging methods, users and passwords that could be set by default or stored on dispositive or placed in the application code, possibilities of brute force attacks.

Methods of

B. Data transfer

At this stage, it is analyzed the data, which is generated in the transmission of information between application on the device and host server, by analyzing the contents of the transferred packages or by intercepting information of the web requests, and session variables.

As tool was used Charles proxy tool.

C. Sensitive Data Storage on device

At this stage, it is analyzed the what sensitive data is stored on the device, in what form and how this data is protected against unauthorized access.

To see ADB backup, "rooting" of device.

D. Payments

Helthcare application provide their help not for free, thus there are how users payment details are stored and how payments are processed.

Evaluation

A. Autentecation

B. Data transfer.

Using of Charles proxy server it was found that most of application use TLS encryption.

Qapsula application exchanges all data over pure HTTP, therefore making it possible to easily access data and perform man in the middle attacks.

Other applications use HTTPS making not so easy to access users data.

Nevertheless, if one of certificates in existing certificate chain is compromised it is possible to . Also it is possible to install a proxy certificate on device, making it possible to read traffic at proxy.

It worth to mention that there can be even more serious consequences than leaking of information. As soon as in healthcare applications doctors prescribe some medicines for users. Such prescriptions can be easily spoofed by attacker to force user take an overdose or wrong medicine.

Such attack was performed by us for Qapsula application.

As soon as all data is transferred via HTTP, we easily captured a particular response from data server that includes information about medicine dose and doubled amount of times the drug should be taken per day. The process is shown on Figures X and X.