Health in iOS 8Overview and Security/Privacy Implications
Alban Diquet December 3rd, 2014
About Me
• Security Researcher at Data Theorem
• Focusing on the iOS platform
• We scan mobile applications for security and privacy issues
• iOS, Android, Windows Phone
• Continuous protection
Agenda
• Health in iOS 8
• Overview of the HealthKit API
• Security and Privacy Implications
• Conclusion
Health in iOS 8
Health in iOS 8• Many new health/fitness features were
introduced in iOS 8
• All grouped under the “Health" umbrella term
• “Health” actually refers to two components:
• The HealthKit API, to be used by App developers
• The Health App, to be used by end-users
• Only available on the iPhone
HealthKit• Many fitness and health Apps in the iTunes Store
• Before iOS 8, health data gathered by each of these Apps would live in silos
• Limited compatibility and data sharing between Apps and devices
• Developers spent time implementing libraries to store/display/share health data
• No way to get a single, comprehensive view of your health situation
HealthKit• The HealthKit API was created as a centralized data store
for all health information
• Apps and devices can store and retrieve health data from the phone’s HealthKit store
• Apple has also partnered with major healthcare players (Mayo Clinic, software vendor Epic Systems)
• Goal is to integrate HealthKit into healthcare/hospital software
• Patient data sharing, health monitoring and alerts, etc.
HealthKit Apps
• Many Apps are already integrated with HealthKit
• Fitness: Nike Running, Sleepio, Weight Watchers, etc.
• Healthcare: Mayo Clinic, AthenaWell, etc.
HealthKit Accessories• Compatible Bluetooth LE devices
can directly interface with HealthKit
• Heart-rate transmitters
• In a few months: Apple Watch
• Other devices must have a companion App that can retrieve the data and save it to HealthKit for them
The Health App• Apple’s HealthKit Companion App
• Dashboard for all of the user’s health information
• Review health data collected by HealthKit Apps and devices
• Add health information (weight, blood type, etc.)
• Manage HealthKit Apps permissions
Demo
Health on Other Platforms
• Google Fit in Android 5.0
• Very similar to HealthKit
• Samsung Architecture Multimodal Interaction
• "Sits between devices that collect data, and algorithms in the cloud that analyze that data”
• First accessory: Samsung FitBand
Overview of the HealthKit API
HealthKit API• Apps and devices can write data to the HealthKit store
• Such Apps are referred as “sources"
• Apps can also access health data from the store
• Access to the Health store requires the HealthKit iOS capability/entitlement
• Apps also have to ask for the user’s permission before being able to read/write to the store
HKObjectType• Each piece of data saved in
the Health store has a type
• The API defines a strict set of type of health data
• Blood glucose level, heart rate, calories, running distance, etc.
• No way to add new "types" of data
HKObjectType
HealthKit Permissions• Any access to the Health store requires the user’s
consent
• Permission is based on
• The type of access: read or write
• The type of health data: heart rate, steps count, etc.
• Permission model is finer-grained than other iOS permissions (location, contacts, etc.)
Demo
Querying the Health Store• Multiple ways to read data from the store
• Sample query: general-purpose query to access any type of data
• Observer query: long-running query that monitors the store and notifies the App when a change happens
• Statistics query: perform calculations (min, max, sum, etc.) over stored data and retrieve the result
• Source query: search for sources (apps and devices) that have saved matching data to the store
Writing to the Health Store• Writing is referred as “sharing" in the documentation
• The data "source" (App or device) is automatically stored along with the actual data object
• Allows keeping track of where the data came from
• Optionally, a digital signature can be stored along with the data object
• Intended to provide data integrity for sample records generated by a trusted device
• Signature is based on SHA256 and ECDSA
Security and Privacy Implications
Privacy and Security• Fine-grained permissions: the user decides which data types
the App has access to
• Apps cannot determine whether or not the user has granted permission to read data
• Knowing that the user has denied a request to read a particular type of data may reveal potential health problems (diabetes, etc.)
• The Health store is encrypted when the device is locked
• HealthKit data is not saved to iCloud or synced across multiple devices
Privacy and Security• However, nothing prevents an App that was granted access to
HealthKit from misbehaving
• Leaking data to third-parties (Apps, servers, etc.)
• Injecting invalid data in the Health store
• This puts even more pressure on Apple’s App Store vetting process
• Apps requesting the HealthKit capability most likely trigger a more scrutinized review
• Not all Apps go through the App Store
Apple Store Requirements• “App Store Review Guidelines” document updated with
specific rules for HealthKit Apps
• Apps using the HealthKit framework must provide a privacy policy or they will be rejected
• Apps using the HealthKit framework that store users’ health information in iCloud will be rejected
• Apps may not use user data gathered from the HealthKit API for advertising or other use-based data mining purposes
Additional Best Practices• Do not cache health data locally in the App’s folder
• Only read/write health data from/to the Health store
• Avoid sending the user's health data to a server
• Try to do most of the processing on the device
• As a source App, consider checking if the device has a passcode set before recording sensitive health data
• As a reader App, only request access to the types of data that are actually needed for the App’s functionality
Conclusion
• Exciting new technology
• Opens up new possibilities
• Which also brings additional risks
• Privacy and security mechanisms in place to reduce these risks
• More pressure on Apple’s review process
Thanks!