Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Mobile

    Free Health Apps, Search Keywords Are a Threat to Privacy: Report

    By
    Brian T. Horowitz
    -
    July 22, 2013
    Share
    Facebook
    Twitter
    Linkedin

      Privacy Rights Clearinghouse (PRC), a nonprofit focused on consumer privacy, has released a study showing that mobile health and fitness apps threaten a user’s privacy with search loopholes and a lack of encryption.

      Paid health apps had a lower risk than free apps of violating privacy because they require advertising for revenue, according to the report, “Technical Analysis of the Data Practices and Privacy Risks of 43 Popular Mobile Health and Fitness Applications,” unveiled on July 16.

      With less of a need for advertising, paid apps are less like to share data with third parties, said Craig Michael Lie Njie, founder and CEO of Kismet World Wide Consulting, who carried out the study between March and June 2013. The California Consumer Protection Foundation funded the project.

      “Paid apps do not have a lot of advertising embedded,” Lie Njie said. “They were just providing the core functionality because the people paying for the app are the ones driving the revenue stream,” Lie Njie told eWEEK.

      The free apps drive advertising with keywords that could draw on the user data, he suggested.

      Developers of free mobile software are “basically delivering the apps so they can provide advertising and analytics to a third party, and that’s where the revenue stream comes from,” Lie Nijie said. “Those kinds of technologies are generally the more privacy invasive.”

      In a paid app, advertising and revenue models are more closely aligned with consumers, he noted.

      Still, even though paid health apps tended to be more secure than free apps, paid apps also pose a danger to privacy, according to Lie Njie. Developers of paid apps sent data to their servers in the clear using HTTP, he noted.

      A privacy risk found among the apps was the tendency to use HTTPs over HTTP, according to Lie Njie.

      Many health apps transmit unencrypted data and connect to third-party sites without a patient’s knowledge, PRC reported.

      For his technical evaluation, Lie Njie studied mobile apps that aid with diet and exercise, pregnancy, behavioral and mental health. Apps included symptom checkers and relaxation aids as well as those that help people manage chronic conditions.

      Free Health Apps, Search Keywords Are a Threat to Privacy: Report

      Consumers often assume that because they’re storing health information in an app, it should be secure, Lie Njie noted.

      “That’s one of the key misconceptions—because it’s dealing with health data, people assume there’s something out there protecting them,” he said.

      Although the study researchers didn’t notice a problem with apps running in the background, users should delete apps and related content after they’re finished using them, Lie Njie advised.

      PRC didn’t consider when the privacy risks were potential violations of the Health Insurance Portability and Accountability Act (HIPAA) because the wellness apps were not being monitored by a physician or health system, Beth Givens, director of Privacy Rights Clearinghouse, told eWEEK. “These app publishers and app developers are not covered entities,” said Givens, referring to the term for companies such as health systems or doctor’s practices that are subject to HIPAA guidelines.

      In addition to not using HTTPS, the biggest privacy risks when using mobile health apps also included unencrypted network connections and data being sent to advertisers as keywords, Lie Njie said.

      To avoid these risks, developers can make sure the apps use HTTP (Secure Socket Layer-encrypted) network connections to transmit data between an app and an Internet server, the report stated.

      In addition, a mobile app shouldn’t be tied to a third-party advertiser or analytics service, according to the report. “Data disclosed to these third parties was found to be a major privacy risk,” the report stated.

      Also, developers should enable search, such as for information about medical conditions, as a POST request rather than a GET request, according to the PRC report. POST requests encode data in a message body while with GET requests, browsers encode data in a URL.

      An additional risk was storing health data on an SD card of an Android device, and then losing the device, Lie Njie noted.

      “If somebody has access to the device, they can pull the SD card out, and in general most of the apps stored data locally on the device are unencrypted,” he said.

      The study looked at 43 health and fitness apps, including the top 20 paid apps in the health and fitness categories in Google Play and Apple App Store, as well as 23 free apps on these platforms. It found that 43 percent or a little under half provided a link to a Website privacy policy, according to PRC. In addition, only about half of these policies accurately detailed an app’s technical processes.

      “The privacy policies were not at all accurate in terms of providing the complete picture of what is happening to the data provided by the user of the app,” Givens said.

      “The lawyers will write the policies in a way that sounds OK, but it opens up a door for the developers to do basically whatever they want,” Lie Njie explained. “They don’t give you any information about the fact that they’re sending every search term you look at,” such as researching a medical condition, he said.

      In addition to alerting developers and consumers to privacy risks with mobile apps, PRC wanted to provide some best practices on how to use the apps in a safe way, Givens said.

      Best practices for developers include not transmitting data that an application’s core functionality doesn’t require and avoiding URL replay attacks by using single-use or expiring URLs.

      Brian T. Horowitz
      Brian T. Horowitz is a freelance technology and health writer as well as a copy editor. Brian has worked on the tech beat since 1996 and covered health care IT and rugged mobile computing for eWEEK since 2010. He has contributed to more than 20 publications, including Computer Shopper, Fast Company, FOXNews.com, More, NYSE Magazine, Parents, ScientificAmerican.com, USA Weekend and Womansday.com, as well as other consumer and trade publications. Brian holds a B.A. from Hofstra University in New York.Follow him on Twitter: @bthorowitz

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×