Developing SaMD

Building Secure Medical Devices on Mobile Platforms

By Magda Kocot Mazur

There were more than 107,000 healthcare apps available in the Apple App Store and Google Play at the beginning of 20211 — a number that is growing rapidly. The total global market for mobile medical applications is expected to exceed $11 billion dollars by 2025. Driving this explosive growth is increased user awareness of the benefits of a healthy lifestyle, better treatment outcomes, and expanded use of smartphones. 

In turn, companies are looking to capitalize on the opportunities in the mobile market. If you’re among them, here are key aspects you should consider when designing and developing medical device software for mobile platforms, including smartphones and tablets.

Is Your App Subject to Regulation?

To start, you need to determine whether your mobile application meets the definition of a medical device and thus is subjected to the regulatory requirements (FDA CFR 21 part 820 in the USA, MDR 2017/745 and 746 in the EU, CMDR in Canada). Software that falls into the medical device category includes software intended for diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease or other conditions. 

Software that meets the definition and is additionally intended for mobile platforms is called a mobile medical app.

Generally, wellness and lifestyle apps that help users to stay fit, maintain a healthy weight, exercise, get optimal nutrition or adequate sleep lie outside of regulatory oversight. This group also includes applications that support administrative and management tasks, for example those enabling patient registration, scheduling or communication with healthcare providers.

Device Class

Once you know whether your app is subject to regulation you should determine its class, which impacts the regulatory path it must follow and the requirements it must meet. Familiarize yourself with the following standards: IEC 62304 (software lifecycle processes), ISO 14971 (risk management), IEC 62366 (usability engineering), and ISO 1384 (quality management system). 

(You can learn more about the requirements for a medical device software, classification and differentiation between regulated vs. unregulated Software as a Medical Device (SaMD) in What You Need to Know About Developing SaMD and Regulatory Considerations for Medical Device Software.

Operating Systems

The next thing you should consider is the operating system. You can go for one specific platform (Android, iOS, BlackBerry) or decide to build a cross-platform app. Either way, you should verify your medical app on all of the OS versions that you claim your app is compatible with. Also, you should ensure that your app is working seamlessly once the newest version of the OS becomes available, and provide a verification strategy in your procedure. 

An important factor to consider when choosing an OS is the adoption rate (the percentage of new users of an OS), which is much higher for iOS. For example, iOS 14 has an adoption rate of around 85% on iPhones2 whereas Android 11 runs on around 30% of devices3. Thus, if you develop an app for Android you may end up verifying your mobile apps on various OS versions and providing bug fixes for older versions because Android users continue to use outdated OS versions.

Besides updates and verification, the OS influences many other aspects. These include:

Programming language

The basic programming languages used to build Android apps are Java and Kotlin, whereas iOS apps are built with Objective-C and Swift. The decision should include consideration of programming language limitations, functionalities, debugging and testing tools. 

User interface

Android’s interface and basic features are much more customizable than iOS, which has a uniform and consistent design.


Unlike iOS, Android is an open-source platform which may make it more susceptible to cyberattacks. However, both operating platforms provide security safeguards that should be used to increase app safety. More on this in a moment.


Mobile applications run on various mobile devices — hardware — that have different technical capabilities related to memory, CPU, Bluetooth, NFC, screen size, and resolution among others. As with the OS version, you should determine hardware requirements, specify the compatible mobile models and test your medical application with them. 

However, the vast number of different models makes this challenging — even impossible. If that’s the case, you can address this issue by defining and verifying minimum hardware requirements that are relevant for the proper app performance. 

In order to assure your mobile medical application is displayed correctly on a variety of devices and screen sizes you can apply responsive-design principles. This assures that content adjusts smoothly to various display sizes and thus provides consistent design across devices. (Remember: a mobile device is not considered a medical device unless it has a medical purpose on its own.)


Like all applications, mobile medical apps are vulnerable to cyberattacks. The major difference is the vulnerability of PHI (Protected Health Information), which requires separate protections beyond simply preventing device hacking. One can distinguish technical safeguards (implemented in product development) and administrative safeguards (e.g. managing access to servers that store PHI). Regarding technical safeguards, you should consider the following aspects when designing and developing your app:

Data storage

You can make sure that sensitive data is stored securely by using APIs provided by the iOS (keychain) or Android (keystore). They enable storing data such as passwords, private keys, certificates and secure notes in an encrypted database. You can also limit the number of permissions requested by the app.

Data in transit

Secure data that is sent over a network by applying TLS with 256bit encryption to your mobile app.

Authentication and authorization

To prevent unauthorized users from gaining access to your app, set password requirements and multi-factor authentication to verify users’ data. You can also implement different user roles and permissions and set session timeouts that automatically log out the user when specified.

App segregation

Prevent your app from accessing or modifying files stored by other apps, as well as preventing the app from making changes to the device (sandbox feature provided by iOS).

Code quality

Use static and dynamic code analysis to detect memory leaks and buffer overflows. When using third-party libraries and tools make sure to verify the source, anomaly list, and test them as appropriate. 

You can read more about device cybersecurity in Take Measures to Help Avoid a Ransomware Nightmare.


To ensure safety and efficacy of mobile medical apps, you must address a variety of issues specific to mobile platforms, including platform capabilities, compatibility with the latest OS releases, flawless usability across various mobile platforms via responsive design, distribution via platform stores — and perhaps most significantly, effective cybersecurity.

In the next installment of our series, we provide insights on AI-based SaMD, including the current regulatory approach and best practices to achieve compliance.