What Data Privacy Risks Are Associated with Mobile Health Apps?

June 23, 2021 - In an analysis of over 20,000 mobile health (mHealth) apps available in the Google Play marketplace, researchers found that 88 percent contained code that had the ability to collect user data, according to a cross-sectional study published in the British Medical Journal.

The research revealed that most data collection operations involved third-party providers, and 23 percent of user data transmissions took place on insecure communication protocols. In addition, only 47 percent of data transmissions complied with the app’s privacy policies, and 28 percent of apps did not provide a privacy policy at all.

“Although the potential of mHealth apps to improve access to real time monitoring and health care resources is well established, they pose problems concerning data privacy because of the sensitive information they can access, the use of a business model that is [centered] on selling subscriptions or sharing user data, and the lack of enforcement of privacy standards around the world,” the study explained.

Researchers analyzed apps accessible in the Google Play store in Australia but found that the majority of the apps are also available in Europe and the United States. The study looked at data collection operations, third-party presence, privacy policies, traffic, adverts and trackers, and personal data transmission to form a complete picture of the cybersecurity risks posed by mHealth apps.

Most data collected by mHealth apps contained user location, contact information, and device identifiers. Specifically, the apps had access to international mobile equipment identity (IMEI), used for fingerprint identification on mobile phones, and media access control (MAC), which identifies the network interface in the user’s device.

Most apps also contained codes for collecting MAC data and app cookies. In 3.9 percent of observed apps, user data transmissions were tracked. The study explained that this percentage appears to be low because the automated app testing methods researchers used likely did not pick up on all data transmissions. The real percentage is likely significantly higher.

In addition, 55 percent of transmissions of user data were directed toward third-party servers. Apps with strong third-party presence tended to have increased user data collection, which indicates that the third-party entities may be sharing personal data with other commercial partners.

“We also observed that, compared with baseline non-mHealth apps, the mHealth apps included fewer data collection operations in their code, transmitted fewer user data, and showed a reduced penetration of third party services,” the study stated.

Medical apps were less likely to collect and share user data than health and fitness apps. Google Analytics and Google Ads were the most common third parties, with 45 percent of medical apps and almost half of health and fitness apps containing code and files from these entities. This is likely due to the app dataset being collected from the Google Play marketplace.

“Among the data that mHealth apps could collect, we found an important presence of persistent device identifiers and user contact information. The persistent device identifiers allowed individuals to be tracked over time and across different services, whereas the contact information directly affected an individual’s privacy,” the study continued.

The biggest security concern that the study identified was the lack of transparency in mHealth app privacy policies, or the lack of privacy policies altogether. At least 25 percent of user data transmissions directly violated the app’s privacy policy. In an analysis of mHealth app customer reviews, very few users expressed privacy concerns.

“Our results show that the collection of personal user information is a pervasive practice in mHealth apps, and not always transparent and secure. Patients should be informed on the privacy practices of these apps and the associated privacy risks before installation and use,” the study emphasized.

“Clinicians should understand the main privacy aspects of mHealth apps in their specialist area, along with their key functionalities, and be able to articulate these to patients in lay language.”

The use of mHealth apps is steadily rising, and for good reason—they can help people track their calories, check symptoms, and monitor sleep, all from the convenience of a personal device. But the data provided is quite personal, meaning it is susceptible to breaches and privacy concerns.

A recent report found that the 30 most popular mHealth apps on the market are extremely vulnerable to API attacks that give unauthorized access to patient records and personally identifiable information (PII). The report found that an estimated 23 million app users have been exposed through the top 30 mHealth apps alone.