Privacy Rights Clearinghouse (PRC), a nonprofit focused on consumer privacy, has released a study showing that mobile health and fitness apps threaten a user’s privacy with search loopholes and a lack of encryption.
Paid health apps had a lower risk than free apps of violating privacy because they require advertising for revenue, according to the report, “Technical Analysis of the Data Practices and Privacy Risks of 43 Popular Mobile Health and Fitness Applications,” unveiled on July 16.
With less of a need for advertising, paid apps are less like to share data with third parties, said Craig Michael Lie Njie, founder and CEO of Kismet World Wide Consulting, who carried out the study between March and June 2013. The California Consumer Protection Foundation funded the project.
“Paid apps do not have a lot of advertising embedded,” Lie Njie said. “They were just providing the core functionality because the people paying for the app are the ones driving the revenue stream,” Lie Njie told eWEEK.
The free apps drive advertising with keywords that could draw on the user data, he suggested.
Developers of free mobile software are “basically delivering the apps so they can provide advertising and analytics to a third party, and that’s where the revenue stream comes from,” Lie Nijie said. “Those kinds of technologies are generally the more privacy invasive.”
In a paid app, advertising and revenue models are more closely aligned with consumers, he noted.
Still, even though paid health apps tended to be more secure than free apps, paid apps also pose a danger to privacy, according to Lie Njie. Developers of paid apps sent data to their servers in the clear using HTTP, he noted.
A privacy risk found among the apps was the tendency to use HTTPs over HTTP, according to Lie Njie.
Many health apps transmit unencrypted data and connect to third-party sites without a patient’s knowledge, PRC reported.
For his technical evaluation, Lie Njie studied mobile apps that aid with diet and exercise, pregnancy, behavioral and mental health. Apps included symptom checkers and relaxation aids as well as those that help people manage chronic conditions.
Free Health Apps, Search Keywords Are a Threat to Privacy: Report
Consumers often assume that because they’re storing health information in an app, it should be secure, Lie Njie noted.
“That’s one of the key misconceptions—because it’s dealing with health data, people assume there’s something out there protecting them,” he said.
Although the study researchers didn’t notice a problem with apps running in the background, users should delete apps and related content after they’re finished using them, Lie Njie advised.
PRC didn’t consider when the privacy risks were potential violations of the Health Insurance Portability and Accountability Act (HIPAA) because the wellness apps were not being monitored by a physician or health system, Beth Givens, director of Privacy Rights Clearinghouse, told eWEEK. “These app publishers and app developers are not covered entities,” said Givens, referring to the term for companies such as health systems or doctor’s practices that are subject to HIPAA guidelines.
In addition to not using HTTPS, the biggest privacy risks when using mobile health apps also included unencrypted network connections and data being sent to advertisers as keywords, Lie Njie said.
To avoid these risks, developers can make sure the apps use HTTP (Secure Socket Layer-encrypted) network connections to transmit data between an app and an Internet server, the report stated.
In addition, a mobile app shouldn’t be tied to a third-party advertiser or analytics service, according to the report. “Data disclosed to these third parties was found to be a major privacy risk,” the report stated.
Also, developers should enable search, such as for information about medical conditions, as a POST request rather than a GET request, according to the PRC report. POST requests encode data in a message body while with GET requests, browsers encode data in a URL.
An additional risk was storing health data on an SD card of an Android device, and then losing the device, Lie Njie noted.
“If somebody has access to the device, they can pull the SD card out, and in general most of the apps stored data locally on the device are unencrypted,” he said.
“The privacy policies were not at all accurate in terms of providing the complete picture of what is happening to the data provided by the user of the app,” Givens said.
“The lawyers will write the policies in a way that sounds OK, but it opens up a door for the developers to do basically whatever they want,” Lie Njie explained. “They don’t give you any information about the fact that they’re sending every search term you look at,” such as researching a medical condition, he said.
In addition to alerting developers and consumers to privacy risks with mobile apps, PRC wanted to provide some best practices on how to use the apps in a safe way, Givens said.
Best practices for developers include not transmitting data that an application’s core functionality doesn’t require and avoiding URL replay attacks by using single-use or expiring URLs.