Abstract
Mobile health (mHealth) apps are an ideal tool for monitoring and tracking long-term health conditions. In this paper, we examine whether mHealth apps succeed in ensuring the privacy, security, and safety of the health data entrusted to them. We investigate 154 apps from Android app stores using both automatic code and metadata analysis and a manual analysis of functionality and data leakage. Our study focuses on hypertension and diabetes, two common health conditions that require careful tracking of personal health data.
We find that many apps do not provide privacy policies or safe communications, are implemented in an insecure fashion, fail basic input validation tests and often have overall low code quality which suggests additional security and safety risks. We conclude with recommendations for App Stores, App developers, and end users.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
CERT secure coding standards for Android. https://www.securecoding.cert.org (accessed December 28, 2014)
OECD guidelines on the protection of privacy and transborder flows of personal data. http://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm. (accessed December 29, 2014)
Adhikari, R., Richards, D., Scott, K.: Security and privacy issues related to the use of mobile health apps. ACIS (2014)
Allix, K., Jerome, Q., Bissyande, T.F., Klein, J., State, R., Traon, Y.L.: A Forensic Analysis of Android Malware: How is Malware Written and How It Could Be Detected?. In: Proc. of the 38th COMPSAC, pp. 384–393. IEEE (2014)
Avancha, S., Baxi, A., Kotz, D.: Privacy in mobile technology for personal healthcare. ACM Computing Surveys 45(1), 1–54 (2012)
Njie, C.M.L.: Technical analysis of the data practices and privacy risks of 43 popular mobile health and fitness applications. Technical report, PrivacyRights Clearinghouse (2013)
Eng, D.S., Lee, J.M.: The promise and peril of mobile health applications for diabetes and endocrinology. Pediatric Diabetes 14(4), 231–238 (2013)
Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love Android: An analysis of Android SSL (in) security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 50–61. ACM (2012)
He, D.: Security threats to Android apps. Master’s thesis, University of Illinois at Urbana-Champaign (2014)
He, D., Naveed, M., Gunter, C.A., Nahrstedt, K.: Security concerns in Android mHealth apps. In: Proceedings of the AMIA 2014 (2014)
Helm, A.M., Georgatos, D.: Privacy and mHealth: How Mobile Health ’Apps’ Fit into a Privacy Framework Not Limited to HIPAA. Syracuse Law Review 64, (May 2014)
Knorr, K., Aspinall, D.: Security Testing for Android mHealth Apps. In: Proceedings of the 6th International Workshop on Security Testing SECTEST, Graz, Austria, April 13, 2015
Kotz, D.: A threat taxonomy for mHealth privacy. In: 3rd International Conference on Communication Systems and Networks, COMSNETS 2011 (2011)
Labeit, A., et al.: Changes in the prevalence, treatment and control of hypertension in Germany? A clinical-epidemiological study of 50.000 primary care patients. PloS One 7(12), e52229 (2012)
Nissenbaum, H.: A Contextual Approach to Privacy Online. Daedalus 140(4) (2011)
Roeloffs, C., Sherbourne, C., Unützer, J., Fink, A., Tang, L., Wells, K.B.: Stigma and depression among primary care patients. General Hospital Psychiatry 25(5), 311–315
Schulke, D.F.: Regulatory arms race: Mobile-health applications and agency posturing, the. BUL Rev. 93, 1699 (2013)
Sunyaev, A., Dehling, T., Taylor, P.L., Mandl, K.D.: Availability and quality of mobile health app privacy policies. Journal of the American Medical Informatics Association (2014)
Tamayo, T., Rosenbauer, J., Wild, S.H., Spijkerman, A.M.W., Baan, C., Forouhi, N.G., Herder, C., Rathmann, W.: Diabetes in Europe: an update. Diabetes research and clinical practice 103(2), 206–217 (2014)
Thimbleby, H.: Improving safety in medical devices and systems. In: Proceedings IEEE International Conference on Healthcare Informatics (2013)
Vallina-Rodriguez, N., Shah, J., Finamore, A., Grunenberger, Y., Haddadi, H., Papagiannaki, K., Crowcroft, J.: Breaking for commercials: characterizing mobile advertising. In: Proceedings of the 2012 ACM Conference on Internet Measurement Conference, pp. 343–356. ACM (2012)
Jason, C.: Wang and Delphine J Huang. The HIPAA conundrum in the era of mobile health and communications. JAMA 310(11), 1121–1122 (2013)
Wolters, M.: The minimal effective dose of reminder technology. In: CHI 2014 Extended Abstracts (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 IFIP International Federation for Information Processing
About this paper
Cite this paper
Knorr, K., Aspinall, D., Wolters, M. (2015). On the Privacy, Security and Safety of Blood Pressure and Diabetes Apps. In: Federrath, H., Gollmann, D. (eds) ICT Systems Security and Privacy Protection. SEC 2015. IFIP Advances in Information and Communication Technology, vol 455. Springer, Cham. https://doi.org/10.1007/978-3-319-18467-8_38
Download citation
DOI: https://doi.org/10.1007/978-3-319-18467-8_38
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-18466-1
Online ISBN: 978-3-319-18467-8
eBook Packages: Computer ScienceComputer Science (R0)