On the Privacy, Security and Safety of Blood Pressure and Diabetes Apps

  • Konstantin KnorrEmail author
  • David Aspinall
  • Maria Wolters
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 455)


Mobile health (mHealth) apps are an ideal tool for monitoring and tracking long-term health conditions. In this paper, we examine whether mHealth apps succeed in ensuring the privacy, security, and safety of the health data entrusted to them. We investigate 154 apps from Android app stores using both automatic code and metadata analysis and a manual analysis of functionality and data leakage. Our study focuses on hypertension and diabetes, two common health conditions that require careful tracking of personal health data.

We find that many apps do not provide privacy policies or safe communications, are implemented in an insecure fashion, fail basic input validation tests and often have overall low code quality which suggests additional security and safety risks. We conclude with recommendations for App Stores, App developers, and end users.


Privacy Policy Medical Data Content Provider Mobile Health Privacy Threat 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    CERT secure coding standards for Android. (accessed December 28, 2014)
  2. 2.
    OECD guidelines on the protection of privacy and transborder flows of personal data. (accessed December 29, 2014)
  3. 3.
    Adhikari, R., Richards, D., Scott, K.: Security and privacy issues related to the use of mobile health apps. ACIS (2014)Google Scholar
  4. 4.
    Allix, K., Jerome, Q., Bissyande, T.F., Klein, J., State, R., Traon, Y.L.: A Forensic Analysis of Android Malware: How is Malware Written and How It Could Be Detected?. In: Proc. of the 38th COMPSAC, pp. 384–393. IEEE (2014)Google Scholar
  5. 5.
    Avancha, S., Baxi, A., Kotz, D.: Privacy in mobile technology for personal healthcare. ACM Computing Surveys 45(1), 1–54 (2012)CrossRefGoogle Scholar
  6. 6.
    Njie, C.M.L.: Technical analysis of the data practices and privacy risks of 43 popular mobile health and fitness applications. Technical report, PrivacyRights Clearinghouse (2013)Google Scholar
  7. 7.
    Eng, D.S., Lee, J.M.: The promise and peril of mobile health applications for diabetes and endocrinology. Pediatric Diabetes 14(4), 231–238 (2013)CrossRefGoogle Scholar
  8. 8.
    Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love Android: An analysis of Android SSL (in) security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 50–61. ACM (2012)Google Scholar
  9. 9.
    He, D.: Security threats to Android apps. Master’s thesis, University of Illinois at Urbana-Champaign (2014)Google Scholar
  10. 10.
    He, D., Naveed, M., Gunter, C.A., Nahrstedt, K.: Security concerns in Android mHealth apps. In: Proceedings of the AMIA 2014 (2014)Google Scholar
  11. 11.
    Helm, A.M., Georgatos, D.: Privacy and mHealth: How Mobile Health ’Apps’ Fit into a Privacy Framework Not Limited to HIPAA. Syracuse Law Review 64, (May 2014)Google Scholar
  12. 12.
    Knorr, K., Aspinall, D.: Security Testing for Android mHealth Apps. In: Proceedings of the 6th International Workshop on Security Testing SECTEST, Graz, Austria, April 13, 2015Google Scholar
  13. 13.
    Kotz, D.: A threat taxonomy for mHealth privacy. In: 3rd International Conference on Communication Systems and Networks, COMSNETS 2011 (2011)Google Scholar
  14. 14.
    Labeit, A., et al.: Changes in the prevalence, treatment and control of hypertension in Germany? A clinical-epidemiological study of 50.000 primary care patients. PloS One 7(12), e52229 (2012)Google Scholar
  15. 15.
    Nissenbaum, H.: A Contextual Approach to Privacy Online. Daedalus 140(4) (2011)Google Scholar
  16. 16.
    Roeloffs, C., Sherbourne, C., Unützer, J., Fink, A., Tang, L., Wells, K.B.: Stigma and depression among primary care patients. General Hospital Psychiatry 25(5), 311–315Google Scholar
  17. 17.
    Schulke, D.F.: Regulatory arms race: Mobile-health applications and agency posturing, the. BUL Rev. 93, 1699 (2013)Google Scholar
  18. 18.
    Sunyaev, A., Dehling, T., Taylor, P.L., Mandl, K.D.: Availability and quality of mobile health app privacy policies. Journal of the American Medical Informatics Association (2014)Google Scholar
  19. 19.
    Tamayo, T., Rosenbauer, J., Wild, S.H., Spijkerman, A.M.W., Baan, C., Forouhi, N.G., Herder, C., Rathmann, W.: Diabetes in Europe: an update. Diabetes research and clinical practice 103(2), 206–217 (2014)CrossRefGoogle Scholar
  20. 20.
    Thimbleby, H.: Improving safety in medical devices and systems. In: Proceedings IEEE International Conference on Healthcare Informatics (2013)Google Scholar
  21. 21.
    Vallina-Rodriguez, N., Shah, J., Finamore, A., Grunenberger, Y., Haddadi, H., Papagiannaki, K., Crowcroft, J.: Breaking for commercials: characterizing mobile advertising. In: Proceedings of the 2012 ACM Conference on Internet Measurement Conference, pp. 343–356. ACM (2012)Google Scholar
  22. 22.
    Jason, C.: Wang and Delphine J Huang. The HIPAA conundrum in the era of mobile health and communications. JAMA 310(11), 1121–1122 (2013)CrossRefGoogle Scholar
  23. 23.
    Wolters, M.: The minimal effective dose of reminder technology. In: CHI 2014 Extended Abstracts (2014)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  • Konstantin Knorr
    • 1
    • 2
    Email author
  • David Aspinall
    • 1
  • Maria Wolters
    • 1
  1. 1.University of EdinburghEdinburghUK
  2. 2.Trier University of Applied SciencesTrierGermany

Personalised recommendations