Researchers noted transmissions of specific sensitive data, such as a user’s drug list, that could de-identify the user and be repurposed for commercial uses.
After creating dummy accounts on highly-rated Android medical apps and analyzing their traffic, an investigation published Wednesday in BMJ found that nearly four in five shared users’ data with outside entities. What’s more, the Australian research team determined that several of those groups receiving the user information would likely be able to aggregate the data and use it to pinpoint a specific individual.
“[Mobile health] apps claim to offer tailored and cost effective health promotion, but they pose unprecedented risk to consumers’ privacy given their ability to collect user data, including sensitive information,” the study’s authors wrote. “Health app developers routinely, and legally, share consumer data with third parties in exchange for services that enhance the user’s experience (eg, connecting to social media) or to monetise the app (eg, hosted advertisements). Little transparency exists around third-party data sharing, and health apps routinely fail to provide privacy assurances, despite collecting and transmitting multiple forms of personal and identifying information.”
Among the 24 apps selected from the top of the Google Play store, researchers found that 19 (79 percent) shared users’ data with 55 different first-party and third-party entities. All but three of these apps transmitted data such as device name, browsing behavior and email address outside of the app, and two-thirds of the entities receiving the data are affiliated with collection for advertising or other analytics services.
Six percent of the 104 transmissions identified and analyzed by the researchers were sent in plain text, with at least three of the health apps leaking some kind of user data in clear text. In some cases, the researchers noted transmissions of specific sensitive data, such as a user’s drug list, that could feasibly be repurposed and sold to companies looking to commercialize these data. Also of note, 19 of the apps (79 percent) requested permission to read or write from the device, 11 (46 percent) to view WiFi connections, seven (29 percent) to read the device’s cellular status and identity, and 25 percent to access the user’s approximate or precise location.
HOW IT WAS DONE
The researchers used a crawling tool and other recommendations to identify 821 free and paid medical apps, each of which was screened by name and inclusion criteria such as availability to Australian consumers, relationship to medicine or care, interactivity, in-app requests of at least one “dangerous” permission and more. From there, the team created dummy accounts to conduct a traffic analysis of the shared data as well as a content and network analysis of the entities to which the data was being sent.
WHAT’S THE HISTORY
A number of investigations have sounded the horn on data security and privacy concerns in health apps, especially in light of recent headlines on Strava, Polar and others’ GPS-related woes.
In February, for instance, one study found that many health apps were insecure and did not conform to GDRP’s specifications, while a more recent project found similar issues among mental health apps. Xcertia, a standards and guidelines body for mobile apps, recently updated its draft guidance on privacy and security for health app designers at this year’s HIMSS conference.
“Our analysis of the data sharing practices of top rated medicines related apps suggests that sharing of user data is routine, yet far from transparent,” the researchers wrote. “Clinicians should be conscious about the choices they make in relation to their app use and, when recommending apps to consumers, explain the potential for loss of personal privacy as part of informed consent. Privacy regulators should consider that loss of privacy is not a fair cost for the use of digital health services.”
Date: March 25, 2019