Privacy threats to mobile health apps: an analysis of data collection practices

Abstract

Users often install mobile health applications (mHealth apps) to improve their health and lifestyle. mHealth apps collect sensitive personal health related information and may share them with various stakeholders. Many of these mHealth apps that consumers use for their personal lifestyle benefits are not required to be compliant with any regulation, such as the Health Insurance Portability and Accountability Act (HIPAA) or General Data Protection Regulation (GDPR). Our investigation reveals that there is a mismatch between what an app description states about privacy, what permissions it requests from the end user as declared in its manifest file, privacy regulations (GDPR), and what privacy practices are actually enforced by the app. We provide a formal definition of mHealth apps and discuss an automated approach that uses a pre-trained language model to identify and analyze 13,177 mHealth apps from Google Playstore. We identify the ten most common privacy threats in mHealth apps and map them to GDPR policy violations. Privacy violations pertaining to GDPR include the absence of a consent management system, inconsistent permissions with respect to the app description, and sharing personally identifiable information (PII) without consent. Our analysis reveals that only 4.28% had a consent mechanism, over 88% of app network transmissions shared some form of personally identifiable information (PII) without consent, and nearly 83.7% requested permissions from the users without explaining their use cases. Our research has been successful in building automated tools for detecting privacy violations for some, but not all, of the identified threats.