Client Overview:

A customer-facing healthcare mobile application providing digital health services engaged our security team to assess the security posture of its Android platform. The application processes sensitive medical and personal data and integrates with multiple backend and third-party healthcare services.

Objective:

The objective of the engagement was to identify vulnerabilities that could:

Expose protected health information (PHI)

Enable unauthorized access to patient accounts

Lead to backend system compromise

Allow manipulation of application functionality

Methodology:

The assessment was conducted in alignment with OWASP Mobile Top 10, OWASP MASVS, and healthcare security best practices, and included:

Static and dynamic analysis of the Android application

Runtime instrumentation and traffic interception

Backend API, database, and cloud security testing

Authentication, authorization, and session management testing Exploitation and validation of high-risk vulnerabilities

Key Findings:

The assessment identified multiple critical and high-risk vulnerabilities, including:

Unencrypted Storage of Medical Data on Device (Critical)

Broken Object-Level Authorization Allowing Access to Patient Records (Critical)

Insecure File Upload Leading to Remote Code Execution (Critical)

2 × SQL Injection in Backend APIs (High)

Hardcoded API Keys and Secrets in Mobile Application (High)

Application Repackaging and Runtime Tampering Vulnerability (High)

2 × Account Takeover via Session Mismanagement (High)

Insecure Logging of Sensitive Health Information (Medium)

These findings demonstrated weaknesses across mobile storage, backend APIs, database security, and server-side controls.

Impact:

If exploited, the identified vulnerabilities could have resulted in:

Full compromise of backend servers and databases

Unauthorized access to patient medical records

Manipulation or deletion of healthcare data

Regulatory violations and compliance failures

Severe reputational damage and loss of patient trust

Challenges Encountered:

During the engagement, several challenges were encountered and addressed:

Certificate pinning and restricted traffic inspection, requiring dynamic runtime bypass techniques

Heavily obfuscated application code, limiting static analysis effectiveness

Complex healthcare workflows and API authorization logic, requiring controlled exploitation to avoid data integrity impact

Sensitive production data, necessitating cautious validation of RCE and SQL injection findings

These challenges were mitigated through expert-led manual testing and careful exploitation strategies.

Recommendations:

Key remediation actions included:

Enforcing secure file upload handling and server-side validation

Using parameterized queries to prevent SQL injection

Encrypting all sensitive data stored on the device

Implementing strict object-level authorization checks

Removing hardcoded secrets and enforcing secure key management

Adding runtime protection and anti-tampering controls

Conducting regular mobile and backend security assessments

Value Delivered:

Critical vulnerabilities impacting patient data and backend systems were identified and validated

Real-world attack paths, including RCE, were demonstrated with controlled proof of concept

Clear, prioritized remediation guidance supported risk reduction and compliance readiness

The overall security posture of the healthcare mobile application was significantly improved

Conclusion:

This engagement highlights the importance of end-to-end mobile security testing for healthcare platforms. By combining mobile, backend, database, and cloud security assessments, critical vulnerabilities were identified before they could be exploited, enabling the client to proactively protect patient data and platform integrity.