The research team analyzed 20 well-known, free mobile health apps that could be downloaded from Google Play. The studied health apps had to have at least 100,000 to 10 million downloads each and a minimum rating of 3.5 out of five (in terms of popularity). These apps managed, stored, and monitored the biomedical data of their users, such as health condition, diseases, or medical to-do lists.
In the first part of the study, the team looked at how the personal information of the users were handled. It uncovered that 20 percent of the apps kept data on the phones of the users. Moreover, one in every two apps asked and managed the login passwords of users using an unsecured connection.
In addition, they highlighted that fifty percent of the apps shared users' personal data with third party servers. The personal data included both text data and multimedia such as x-ray images. Furthermore, more than half of the apps sent the health data of users through URL links. This means that anyone who has those links can access the data. They also found that in 20 percent of these cases, the users were not referred to a privacy policy or the policy content was not available in English, which is the language of the app. Furthermore, several apps asked access to users' geolocation, microphones, camera, contacts list, external storage card, or bluetooth, even though the apps did not necessarily needed it.
Then, the researchers informed the app developers about the issues they found. They noticed that even though some issues were fixed, such as unsafe health data transfers, other issues such as app usage data leaks were not addressed.
“Users must know that apps’ popularity does not ensure privacy and security,” said Agusti Solanas of Rovira I Virgili University in Spain, involved in the study. “People need to become more aware of the risk they are facing.”
“Our findings reveal that the majority of the analyzed applications does not follow well-known practices and guidelines, not even legal restrictions imposed by contemporary data protection regulations, thus jeopardizing the privacy of millions of users,” the researchers wrote.
This is not the first time that smartphone apps has been reported to share users' data with third-party services. It was revealed in an article published in the website TheConversation.com that more than 70 percent of mobile apps are transmitting personal data to third-party tracking companies such as Google Analytics, the Facebook Graph API, or Crashlytics.
Typically, apps require the user's permission before accessing personal information. However, once the app gets the permission, it can share the user's data with anyone the app's developer wants to. This enables third-party companies monitor your location, how fast you are moving, and what you are doing. (Related: It’s not your imagination — your phone really is spying on you: Hundreds of Android apps use the microphone to secretly monitor and record your TV habits.)
The researchers developed a free Android app to analyze the traffic apps send out in order to identify which applications and online services collect personal data.
If you'd like to read more stories and studies on unsafe mobile apps, please go to Surveillance.news.
Sources include: