Researchers have raised serious privacy concerns over the use of medical apps in the Google Play store after noting that the majority share user data with third parties.
They simulated real-world use of the apps in the lab via four dummy scripts.
“To identify privacy leaks, one source of user data was modified and deviations in the resulting traffic observed,” the research explained.
The paper found that 79% of those apps studied shared user data with 55 unique entities. Nearly two-thirds of these (67%) “related to the collection and analysis of user data, including analytics or advertising, suggesting heightened privacy risks.”
A further third (33%) of these unique entities provided cloud and other related IT infrastructure services.
The paper warned that the functionality gained from these apps may not be enough to compensate the privacy lost by users.
“Sharing of user data is routine, yet far from transparent. Clinicians should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent,” it concluded.
“Privacy regulation should emphasize the accountabilities of those who control and process user data. Developers should disclose all data sharing practices and allow users to choose precisely what data are shared and with whom.”
Tripwire director of security research and development, Lamar Bailey, argued that data collected by health apps could also be at risk of theft by cyber-criminals.
“Although it is well known and documented that apps use customers’ data as a currency, it is particularly troubling when that data includes sensitive information such as medical records and health metrics,” he added.
“It is paramount that these apps clearly state in their registration process if they plan to divulge their customers’ information to third parties, so that subscribers are able to opt out. All too often these terms on usage are buried in the user agreement and the only way to opt out is to not use the app.”