Mobile health apps routinely collect personal user data

Long gone are the days when mobile phone apps were primarily for smashing cartoon pigs, much less simply making phone calls. Helpful apps are now central to many people’s daily lives.

According to Statista data, Apple’s App Store carries 2.2 million apps for iPhone users, and Google’s Google Play Store offers 3.48 million apps for users of phones with the company’s Android operating system.

Among these are an estimated 99,366 medical, health, and fitness apps. Collectively, they are referred to as mHealth apps.

The mHealth apps available on the Google Play Store are the subject of a new study from researchers at Macquarie University in Sydney, Australia.

While users may assume mHealth apps protect the privacy of sensitive health data, the study finds that 88% of these apps sold on the Google Play Store are designed to harvest user information.

The researchers performed an analysis of free Google Play Store mHealth apps, comparing their collection of personal data with non-mHealth apps. While the mHealth apps generally collected less personal information, the study nonetheless found significant harvesting of user data.

Assessing mHealth apps
The authors of the study examined Google Play Store mHealth apps in three ways.

First, they perused publicly stated privacy policies for the store’s paid and free mHealth apps. Each of these typically lists the user data collected and what the app’s developer plans to do with them. Of the 20,991 apps, 28.1%, or 5,903 apps, offered no privacy policy.

The researchers then downloaded 15,838 free mHealth apps from the store and used a programming tool to reverse engineer the apps to assess their data collection capabilities.

The analysis identified 65,068 data collection routines, an average of about four per app.

Two-thirds of the apps could collect advertising identifiers and data cookies that track a user’s activity as they navigate the internet. A third of the apps were programmed to collect a user’s email address — information that can be sold to bulk email advertisers — and about a quarter could provide developers with a user’s location.

Finally, the researchers launched each app and observed the silent transmission of personal data. Of the apps tested, 616, or 3.9%, were observed sending out user data.

However, since the researchers did not fully test all of each app’s features, their observations likely describe the minimum amount of data collection and transmission being executed.

The personal data the apps transmit
Analyzing the intercepted traffic, the researchers discovered that the personal data were transmitted to 665 unique third-party entities.

Google was the recipient of 34% of the transmitted personal data, followed most closely by Facebook, with 14%.

The primary types of data being sent from a user’s device included contact information, location, device identifiers, and app cookies. User email addresses constituted 33% of the intercepted data, and users’ current cell tower — 25%.

Only 55% of the data collecting apps met the standards set forth in their privacy policies.

A great deal of the data — as much as 23% — were also transmitted using the unencrypted HTTP, as opposed to HTTPS, protocol, further exposing users’ personal information to interception.

A call for more accountability
“In my opinion, even with the increased focus on data privacy, mHealth apps are a net positive,” environmental psychologist and well-being consultant Lee Chambers told Medical News Today. “However, several significant areas need improvement across the spectrum, which include increasing trust, improving functionality, clarity on privacy, content assurance and usability.”

An editorialTrusted Source calling for greater transparency in the collection of user data by apps in general, and mHealth apps in particular, accompanies the release of the Macquarie study.

The editorial says that “[p]rivacy regulation also still largely relies on the idea that an ‘informed consumer’ can choose apps with adequate privacy assurances.”

Its authors note, however, that the frequent lack of published privacy policies identified by the Macquarie researchers undermines such transparency.

“I believe we should expect data privacy and have total clarity on how our data will be stored, used, and protected. The continued concerns around this are limiting their use both initially and over the longer term,” Chambers commented.