The applications chosen by the researchers had been downloaded between 100,000 and 10 million times and had a minimum rating of 3.5 out of 5. To analyse their levels of security, the researchers intercepted, stored and monitored private data relating to users' health problems, illnesses and medical records. The researchers analysed how the applications communicated, how they stored information, which permissions they required to operate, and how they handled the data. The results showed the existence of serious security problems in the way users' data were handled.
Only 20% of the applications stored the data on the user's smartphone, and one in two requested and administered passwords without using a secure connection. The researchers also found that 50% of the applications shared data with third parties, including text, multimedia content or X-ray images.
Information for businessesOn completing the analysis, the researchers contacted the software developers to inform them of the security problems. After waiting for a given period, they then analysed the same parameters and found that although some of the security issues had been fixed (e.g. insecure health data transfers or the ability to identify users via insecure data transfers to third parties), other problems such as data leaks regarding the use of the application had not been resolved.
The research has been partially funded by the European OPERANDO project (as part of the H2020 programme) and has also received funding from the COST programme (Cooperation in Science and Technology) through Acció Cryptacus.
A Papageorgiou, M Strigkos, E Politou, E Alepis, A Solanas, C Patsakis.
Security and Privacy Analysis of Mobile Health Applications: The Alarming State of Practice.
IEEE Explore. DOI: 10.1109/ACCESS.2018.2799522.