Do mHealth apps protect user privacy?

Share on Pinterest
Recently, there has been a boom in smartphone health apps, designed to help people take charge of their health and well-being. But how good are these apps at protecting user privacy?
Photo editing by Lauren Azor; Yifei Fang/Getty Images
  • A study of mobile health (mHealth) apps available on the Google Play Store finds that a large percentage of them are programmed for the collection of personal user data.
  • Data collected by over 15,000 free apps that the researchers assessed were intercepted being transmitted to 665 third parties.
  • mHealth apps collect and share less data than other app types, but they still harvest a significant amount of personal user information.

Long gone are the days when mobile phone apps were primarily for smashing cartoon pigs, much less simply making phone calls. Helpful apps are now central to many people’s daily lives.

According to Statista data, Apple’s App Store carries 2.2 million apps for iPhone users, and Google’s Google Play Store offers 3.48 million apps for users of phones with the company’s Android operating system.

Among these are an estimated 99,366 medical, health, and fitness apps. Collectively, they are referred to as mHealth apps.

The mHealth apps available on the Google Play Store are the subject of a new study from researchers at Macquarie University in Sydney, Australia.

While users may assume mHealth apps protect the privacy of sensitive health data, the study finds that 88% of these apps sold on the Google Play Store are designed to harvest user information.

The researchers performed an analysis of free Google Play Store mHealth apps, comparing their collection of personal data with non-mHealth apps. While the mHealth apps generally collected less personal information, the study nonetheless found significant harvesting of user data.

The study appears in the journal The BMJ.

The authors of the study examined Google Play Store mHealth apps in three ways.

First, they perused publicly stated privacy policies for the store’s paid and free mHealth apps. Each of these typically lists the user data collected and what the app’s developer plans to do with them. Of the 20,991 apps, 28.1%, or 5,903 apps, offered no privacy policy.

The researchers then downloaded 15,838 free mHealth apps from the store and used a programming tool to reverse engineer the apps to assess their data collection capabilities.

The analysis identified 65,068 data collection routines, an average of about four per app.

Two-thirds of the apps could collect advertising identifiers and data cookies that track a user’s activity as they navigate the internet. A third of the apps were programmed to collect a user’s email address — information that can be sold to bulk email advertisers — and about a quarter could provide developers with a user’s location.

Finally, the researchers launched each app and observed the silent transmission of personal data. Of the apps tested, 616, or 3.9%, were observed sending out user data.

However, since the researchers did not fully test all of each app’s features, their observations likely describe the minimum amount of data collection and transmission being executed.

Analyzing the intercepted traffic, the researchers discovered that the personal data were transmitted to 665 unique third-party entities.

Google was the recipient of 34% of the transmitted personal data, followed most closely by Facebook, with 14%.

The primary types of data being sent from a user’s device included contact information, location, device identifiers, and app cookies. User email addresses constituted 33% of the intercepted data, and users’ current cell tower — 25%.

Only 55% of the data collecting apps met the standards set forth in their privacy policies.

A great deal of the data — as much as 23% — were also transmitted using the unencrypted HTTP, as opposed to HTTPS, protocol, further exposing users’ personal information to interception.

“In my opinion, even with the increased focus on data privacy, mHealth apps are a net positive,” environmental psychologist and well-being consultant Lee Chambers told Medical News Today. “However, several significant areas need improvement across the spectrum, which include increasing trust, improving functionality, clarity on privacy, content assurance and usability.”

An editorial calling for greater transparency in the collection of user data by apps in general, and mHealth apps in particular, accompanies the release of the Macquarie study.

The editorial says that “[p]rivacy regulation also still largely relies on the idea that an ‘informed consumer’ can choose apps with adequate privacy assurances.”

Its authors note, however, that the frequent lack of published privacy policies identified by the Macquarie researchers undermines such transparency.

“I believe we should expect data privacy and have total clarity on how our data will be stored, used, and protected. The continued concerns around this are limiting their use both initially and over the longer term,” Chambers commented.

The editorial’s authors conclude:

“We must also advocate for greater scrutiny, regulation, and accountability on the part of key players behind the scenes — the app stores, digital advertisers, and data brokers — to address whether these data should exist and how they should be used, and to ensure accountability for harms that arise.”