Privacy and Security Analysis of mHealth Apps

The widespread availability of Mobile Health (mHealth) applications has been significantly accelerated by the outbreak of the COVID-19 pandemic. While bringing many benefits, from self-monitoring to medical consultations, mHealth apps process many sensitive health-related user data. Therefore, they are subject to privacy regulations set by government, such as General Data Protection Regulation (GDPR) in the EU and Health Insurance Portability and Accountability Act (HIPAA) in the USA, as well as privacy guidelines of the app store (e.g., Google Android). In this work, we analyze the privacy, compliance, and security of 232 mHealth apps in the Android ecosystem, mainly focusing on the most popular free apps (199), but also considering a sample of paid apps (25) and healthcare provider/clinician apps published on the US Centers for Disease Control and Prevention (CDC)'s website (8). For our analysis, we leverage both static approaches, such as privacy policy and APK analysis, and dynamic approaches, like network traffic inspection and analysis of in-app consent acquisition. Our findings reveal that 85.4\% of the free mHealth apps do not properly inform the users about all the aspects of the data processing required by the regulations. In addition, they often contain conflicting or incomplete information: only 2.51% of them are completely consistent. Moreover, 55.8% of these apps process user data without explicit consent. Our analysis shows that, when compared to free apps, paid ones are less careful in writing the privacy policy, while containing a lower number of trackers and dangerous permissions on average. We found that 76% of these apps fail in obtaining explicit consent and 84% of them process some types of data without informing the user. Concerning the CDC-endorsed apps, while we did not detect a pervasive presence of trackers, dangerous permissions or sensitive data in the network traffic, our results show that all of them have incomplete privacy policies and fail to ask for explicit consent before accessing their services. As we consider apps with a mean of 8 millions downloads each, our study impacts a lot of end-users and helps creating awareness of mHealth apps' privacy importance among both users and developers.