They allow us to see and upload some of our most personal information with the tap of a finger.
But after you read this story, you might second guess whether you trust the ones you use.
Medical apps on all kinds of devices are increasingly being adopted as part of a "connected health" model that has a lot of potential upside for both patients and medical providers.
However, a new study gives these apps a troubling diagnosis.
"We have come to the alarming conclusion that the majority of the analyzed apps do not meet the expected standards for security and privacy, thus endangering their users’ sensitive personal data."
In fact, researchers say many of the apps they reviewed, "Fail to provide even basic protection to privacy."
Parameters of new study on medical app privacy problems
The study was conducted by several researchers in the Department of Informatics at the University of Piraeus in Greece.
They reviewed 20 medical apps with these parameters:
- English language
- Android platform
- At least 100,000 downloads
- Minimum app rating of 3.5 stars in Google Play store
- Entering health/personal data info is required
- App must be free
The researchers set up a proxy to log and analyze information flowing between the app and the servers it was communicating with:
Big picture results: medical app privacy problems
Researchers wanted to answer three main questions with their analysis:
- Which parties have access to personal data from the app?
- What data, exactly, can each party access?
- How safe is each communication channel?
The end result revealed so many privacy and security problems I'm not sure where to start. The full research is dozens of pages. But here are a few low-lights:
- All of the apps logged sensitive information, which should not happen
- Many apps transferred sensitive information without encryption
- Many of the apps transfered data over HTTP instead of HTTPS
- Many of the apps generate internal URLs, and anyone who has that URL could view patient information
- 50% of the apps send data to third parties, including marketing firms
- Several of the apps provide geolocation details, some without asking permission, and in one case, the user location was reported every three seconds!
I could go on, but these bullet points certainly paint a disturbing picture, don't they?
Read the Medical App Privacy Problems research yourself if this is your area of interest.
Also, I'll report back after I interview Rebecca Herold, The Privacy Professor, about this study. We'll be seeing her as she delivers the keynote presentation at SecureWorld Atlanta on May 30-31.
Lastly, here is the ultimate conclusion of the researchers in this study:
"According to our analysis, a relevant number of popular m-health apps could violate users’ privacy by revealing sensitive information such as health conditions, medical symptoms, photos, location, e-mails and passwords."
And that... is a scary diagnosis.
