A study, published in the British Medical Journal, examined more than 15,000 health and fitness apps and found that – while they tend to collect less data than other apps – the vast majority of them have access to data and may use it. can share.
Medical, health and fitness apps are increasingly popular tools, many of which are approved by the NHS and approved as ‘medical devices’ by regulators.
The apps include a range of features from calorie counting to menstrual and mood tracking. While their benefits are well known, they raise data privacy concerns due to the sensitive information they access and use a business model focused on subscriptions or the collection of user data.
A team of researchers from Macquarie University, Australia, examined the magnitude of the data privacy threat through a privacy audit of more than 15,000 free health apps from the Google Play Store, comparing their privacy standards to those of 8,000 non-health apps.
They analyzed the app files and source code (static analysis) for the presence of data collection operations and third-party presence in app sources, examined the network traffic generated while the app was running (dynamic analysis) for advertising, trackers and personal data transmission, and also reviews posted by users.
The analysis involved extracting app-requested permissions to access OS components, using supervised machine learning to review privacy policies, and building a dedicated app testbed, which runs a tool to monitor all traffic coming to the Internet. being sent, intercept.
The apps were tested individually, with an average of 35 different activities each. The researchers found that 88 percent of the health apps in their study could access and potentially share personal information, such as location, email address, and IMEI. Four percent of apps transmit data (mainly health and fitness apps).
While this is a significantly lower proportion than other apps, they noted that this still represents a large number of apps and is a cause for concern.
This is because more than 87 percent of data collection and 56 percent of data transfer was commissioned by third parties;the strong presence of third parties was confirmed by examining app traffic, which largely went to third party servers.
“This percentage [4 percent] is significant and should be considered a lower bound for the real data transmissions performed by the apps, as some transmissions may not be triggered on automated app testing,” the researchers wrote.
In total, 665 unique external entities were identified from the sample, with a small number of prominent third parties responsible for most of the data collection.
The most active third parties were Google (present in 45 percent of medical apps and 50 percent of health and fitness apps) and other large tech companies such as Facebook. While the retrieval and sharing of user data by health apps is routine, the practices are relatively opaque.
The Macquarie researchers found that 28 percent of health apps failed to deliver a valid policy text at all, and at least 25 percent of data transfers violated existing privacy rules. The survey also found that 23 percent of user data transfers took place on insecure communication channels.
“Our results show that collecting personal user information is a ubiquitous practice in [mobile health] apps and is not always transparent and secure,” the researchers said.
They also called for mobile app marketplaces to review apps and their privacy policies before making them available on their platforms. “Mobile apps are fast becoming sources of information and decision support tools for clinicians and patients alike.
Such privacy risks should be made clear to patients and could be part of app use consent,” they concluded. “We believe that the trade-off between the benefits and risks of mHealth apps should be considered for any technical and policy discussion. about the services provided by such apps.”
Meanwhile, a Wall Street Journal report has revealed that Apple has made progress with a plan to launch its own subscription-based healthcare service — based on data collected from Watch — before refocusing its health care efforts on Apple Health.
According to the report, Apple went as far as acquiring a health clinic near Apple Park, hiring clinicians, engineers and product designers, and trialling an app to connect employees with clinicians to set health goals.
However, little use was made of the app and questions were raised about data integrity, which resulted in the project being halted.