Researcher testing of 30 mobile health apps for clinicians found that all of them had vulnerable APIs. 77 percent of them contained hardcoded API keys, which would allow an attacker to intercept that exchange of information. Seven percent of these belonged to third-party payment processors that explicitly warn against hard-coding their secret keys in plain text. More than a quarter (27 percent) of mobile apps tested didn t have code-obfuscation protections against reverse engineering. 100 percent of API endpoints tested were vulnerable to Broken Object Level Authorization attacks.
Source: https://threatpost.com/mhealth-apps-millions-cyberattacks/163966/