Free Health Apps, Search Keywords Are a Threat to Privacy: Report

By Brian T. Horowitz  |  Posted 2013-07-22 Print this article Print

Consumers often assume that because they're storing health information in an app, it should be secure, Lie Njie noted.

"That's one of the key misconceptions—because it's dealing with health data, people assume there's something out there protecting them," he said.

Although the study researchers didn't notice a problem with apps running in the background, users should delete apps and related content after they're finished using them, Lie Njie advised.

PRC didn't consider when the privacy risks were potential violations of the Health Insurance Portability and Accountability Act (HIPAA) because the wellness apps were not being monitored by a physician or health system, Beth Givens, director of Privacy Rights Clearinghouse, told eWEEK. "These app publishers and app developers are not covered entities," said Givens, referring to the term for companies such as health systems or doctor's practices that are subject to HIPAA guidelines.

In addition to not using HTTPS, the biggest privacy risks when using mobile health apps also included unencrypted network connections and data being sent to advertisers as keywords, Lie Njie said.

To avoid these risks, developers can make sure the apps use HTTP (Secure Socket Layer-encrypted) network connections to transmit data between an app and an Internet server, the report stated.

In addition, a mobile app shouldn't be tied to a third-party advertiser or analytics service, according to the report. "Data disclosed to these third parties was found to be a major privacy risk," the report stated.

Also, developers should enable search, such as for information about medical conditions, as a POST request rather than a GET request, according to the PRC report. POST requests encode data in a message body while with GET requests, browsers encode data in a URL.

An additional risk was storing health data on an SD card of an Android device, and then losing the device, Lie Njie noted.

"If somebody has access to the device, they can pull the SD card out, and in general most of the apps stored data locally on the device are unencrypted," he said.

The study looked at 43 health and fitness apps, including the top 20 paid apps in the health and fitness categories in Google Play and Apple App Store, as well as 23 free apps on these platforms. It found that 43 percent or a little under half provided a link to a Website privacy policy, according to PRC. In addition, only about half of these policies accurately detailed an app's technical processes.

"The privacy policies were not at all accurate in terms of providing the complete picture of what is happening to the data provided by the user of the app," Givens said.

"The lawyers will write the policies in a way that sounds OK, but it opens up a door for the developers to do basically whatever they want," Lie Njie explained. "They don't give you any information about the fact that they're sending every search term you look at," such as researching a medical condition, he said.

In addition to alerting developers and consumers to privacy risks with mobile apps, PRC wanted to provide some best practices on how to use the apps in a safe way, Givens said.

Best practices for developers include not transmitting data that an application's core functionality doesn't require and avoiding URL replay attacks by using single-use or expiring URLs.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel