Data collection ‘pervasive’ among mobile health apps

Medical, health, and fitness apps are increasingly popular tools, with many endorsed by the NHS and approved as ‘medical devices’ by regulators. The apps encompass a range of functions, from calorie counting to tracking menstruation and mood. While their benefits are well known, they pose concerns regarding data privacy due to the sensitive information they can access and the use of a business model centred on either subscriptions or collection of user data.

A team of researchers from Macquarie University, Australia, examined the extent of the data privacy threat through a privacy audit of more than 15,000 free health apps from the Google Play Store, comparing their privacy standards with those of 8,000 non-health apps.

They analysed the app files and source code (static analysis) for the presence of data-collection operations and third-party presence in app sources, investigated the network traffic generated as the app runs (dynamic analysis) for ads, trackers, and personal data transmission, and also considered reviews posted by users. The analysis involved extracting permissions requested by the app to access OS components, using supervised machine learning to assess privacy policies, and building a dedicated app testbed, which runs a tool to intercept all traffic transmitted to the internet. The apps were individually tested, with an average of 35 different activities each.

The researchers found that 88 per cent of the health apps in their study could access and potentially share personal data, such as location, email address, and IMEI.

Four per cent of the apps transmitted data (mostly health and fitness apps). While this is a significantly lower proportion than for other apps, they noted that this still represents a large number of apps and is a cause for concern. This is because over 87 per cent of the data collection and 56 per cent of the data transmission was on behalf of third-party services; the strong presence of third parties was confirmed by examining the app traffic, which largely went towards third-party servers.

“This percentage [4 per cent] is substantial and should be taken as a lower bound for the real data transmissions performed by the apps, because some transmissions might not be triggered in automated app testing,” the researchers wrote.

Overall, 665 unique third-party entities were identified from the sample, of which a small number of prominent third parties were responsible for most data collection. The most active third parties were Google (present in 45 per cent of medical apps and 50 per cent of health and fitness apps) and other major tech companies such as Facebook.

Although retrieval and sharing of user data by health apps is routine, the practices are relatively opaque. The Macquarie researchers found that, of the health apps, 28 per cent provided no valid policy text at all and at least 25 per cent of data transmission violated what was stated in existing privacy rules. The study also found that 23 per cent of user-data transmissions occurred on insecure communication channels.

“Our results show that the collection of personal user information is a pervasive practice in [mobile health] apps and not always transparent and secure,” the researchers said. They recommended that patients and clinicians should be made aware of the privacy practices and risks of these apps, including with the use of automated tools for summarising privacy policies if necessary. They also called for mobile app marketplaces to vet apps and their privacy policies before they are made available on their platforms.

“Mobile apps are fast becoming sources of information and decision support tools for both clinicians and patients. Such privacy risks should be articulated to patients and could be made part of app usage consent,” they concluded. “We believe the trade-off between the benefits and risks of mHealth apps should be considered for any technical and policy discussion surrounding the services provided by such apps.”

Meanwhile, a Wall Street Journal report has revealed that Apple progressed with a plan to launch its own subscription-based healthcare service – based on data collected from Watch – before refocusing its healthcare efforts on Apple Health. According to the report, Apple went as far as taking over a health clinic near Apple Park, hiring clinicians, engineers and product designers, and trialling an app for connecting employees with clinicians to set health goals. However, the app saw low take-up and prompted questions over data integrity, leading to the project’s abandonment.