Health Apps Share User Data Without Users Knowledge

It’s very common to see the use of mobile health apps nowadays. These apps track health metrics to promote healthdul living and so record a variety of sensitive health data. But consumers may have no idea how their data is used and who has access to the information.

Any data recorded by an app is typically shared with several third parties and the developers usually monetize the data. However, consumers know little or nothing about the practice.

BMJ published a study on the data sharing practices of medicines-associated apps. According to the study, 19 of the 24 apps studied or 79% disclosed consumer data to third parties.

The types of apps the study evaluated include apps related to dispensing, management, prescription or use of medications. Every app was put through simulated real world test using four dummy scripts.

The researchers discovered that user data was disclosed to 55 different entities, composed of app developers, third-party service providers and parent companies, which could have acquired or processed the information. 67% of the third party service providers collect or analyze data and include analytics and advertising. 33% of the service providers offer infrastructure associated services.

71% of apps sent user data, such as the name of the device, the operating system, browsing behavior and email address to an outside entity. A number of the applications sent sensitive data like the user’s location and drug list.

Although some of the information that was disclosed were not really sensitive, for instance the Android ID or name of device, it’s possible to use the information together with other information in order to identify the user. A number of companies within the network could combine and re-identify user information.

The study detected 104 transmissions, 94% were encrypted while 6% used cleartext. 13% of the studied apps exposed some user information in cleartext.

The researchers also conducted a network analysis and found out that first and third parties got a median of three unique user data transmissions and third parties were found to market their capability to share user information with 216 fourth parties.

Many apps also asked for permissions considered as dangerous by the researchers. Typically, the applications asked for these ‘dangerous’ permissions:

  • 79% asked for permissions to read and write to device storage
  • 46% asked to view Wi-Fi connections
  • 29% asked to read the listed accounts on the device
  • 29% asked to access information about the phone’s status, which include network data, telephone number, and when someone calls the user
  • 25% asked to get the location of the user

Although the applications were legit and data sharing is lawful, the researchers observed that transparency regarding this practice is not enough. Companies often use consumer data for marketing purposes, which somewhat takes advantage of consumers.

The researchers additionally gave a warning regarding medicine related applications. The use of such apps could lead to the potential loss of personal privacy. Privacy regulators should weigh the loss of privacy against the benefit of using digital health services.