Security Analysis of Top-Ranked mHealth Fitness Apps: An Empirical Study
- URL: http://arxiv.org/abs/2409.18528v1
- Date: Fri, 27 Sep 2024 08:11:45 GMT
- Title: Security Analysis of Top-Ranked mHealth Fitness Apps: An Empirical Study
- Authors: Albin Forsberg, Leonardo Horn Iwaya,
- Abstract summary: We investigate the security vulnerabilities of ten top-ranked Android health and fitness apps, a set that accounts for 237 million downloads.
Our findings revealed many vulnerabilities, such as insecure coding, hardcoded sensitive information, over-privileged permissions, misconfiguration, and excessive communication with third-party domains.
- Score: 0.32885740436059047
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Mobile health applications (mHealth apps), particularly in the health and fitness category, have experienced an increase in popularity due to their convenience and availability. However, this widespread adoption raises concerns regarding the security of the user's data. In this study, we investigate the security vulnerabilities of ten top-ranked Android health and fitness apps, a set that accounts for 237 million downloads. We performed several static and dynamic security analyses using tools such as the Mobile Security Framework (MobSF) and Android emulators. We also checked the server's security levels with Qualys SSL, which allowed us to gain insights into the security posture of the servers communicating with the mHealth fitness apps. Our findings revealed many vulnerabilities, such as insecure coding, hardcoded sensitive information, over-privileged permissions, misconfiguration, and excessive communication with third-party domains. For instance, some apps store their database API key directly in the code while also exposing their database URL. We found insecure encryption methods in six apps, such as using AES with ECB mode. Two apps communicated with an alarming number of approximately 230 domains each, and a third app with over 100 domains, exacerbating privacy linkability threats. The study underscores the importance of continuous security assessments of top-ranked mHealth fitness apps to better understand the threat landscape and inform app developers.
Related papers
- Mobile App Security Trends and Topics: An Examination of Questions From Stack Overflow [10.342268145364242]
We mine Stack Overflow for questions on mobile app security, which we analyze using quantitative and qualitative techniques.
The findings reveal that Stack Overflow is a major resource for developers seeking help with mobile app security, especially for Android apps.
Insights from this research can inform the development of tools, techniques, and resources by the research and vendor community.
arXiv Detail & Related papers (2024-09-12T10:45:45Z) - Rethinking the Vulnerabilities of Face Recognition Systems:From a Practical Perspective [53.24281798458074]
Face Recognition Systems (FRS) have increasingly integrated into critical applications, including surveillance and user authentication.
Recent studies have revealed vulnerabilities in FRS to adversarial (e.g., adversarial patch attacks) and backdoor attacks (e.g., training data poisoning)
arXiv Detail & Related papers (2024-05-21T13:34:23Z) - Evaluating the Security and Privacy Risk Postures of Virtual Assistants [3.1943453294492543]
We evaluated the security and privacy postures of eight widely used voice assistants: Alexa, Braina, Cortana, Google Assistant, Kalliope, Mycroft, Hound, and Extreme.
Results revealed that these VAs are vulnerable to a range of security threats.
These vulnerabilities could allow malicious actors to gain unauthorized access to users' personal information.
arXiv Detail & Related papers (2023-12-22T12:10:52Z) - SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices [67.65883495888258]
We present SyzTrust, the first state-aware fuzzing framework for vetting the security of resource-limited Trusted OSes.
SyzTrust adopts a hardware-assisted framework to enable fuzzing Trusted OSes directly on IoT devices.
We evaluate SyzTrust on Trusted OSes from three major vendors: Samsung, Tsinglink Cloud, and Ali Cloud.
arXiv Detail & Related papers (2023-09-26T08:11:38Z) - Mobile Mental Health Apps: Alternative Intervention or Intrusion? [2.131521514043068]
Mobile Mental Health (MMH) apps emerge as an effective alternative to assist with a broad range of psychological disorders.
The absence of a transparent privacy policy and lack of user awareness may pose a significant threat to undermining the applicability of such tools.
Our results indicate that apps' exploitable flaws, dangerous permissions, and insecure data handling pose a potential threat to the users' privacy and security.
arXiv Detail & Related papers (2022-06-21T21:05:54Z) - On the Privacy of Mental Health Apps: An Empirical Investigation and its
Implications for Apps Development [14.113922276394588]
This paper reports an empirical study aimed at systematically identifying and understanding data privacy incorporated in mental health apps.
We analyzed 27 top-ranked mental health apps from Google Play Store.
The findings reveal important data privacy issues such as unnecessary permissions, insecure cryptography implementations, and leaks of personal data and credentials in logs and web requests.
arXiv Detail & Related papers (2022-01-22T09:23:56Z) - Analysis of Longitudinal Changes in Privacy Behavior of Android
Applications [79.71330613821037]
In this paper, we examine the trends in how Android apps have changed over time with respect to privacy.
We examine the adoption of HTTPS, whether apps scan the device for other installed apps, the use of permissions for privacy-sensitive data, and the use of unique identifiers.
We find that privacy-related behavior has improved with time as apps continue to receive updates, and that the third-party libraries used by apps are responsible for more issues with privacy.
arXiv Detail & Related papers (2021-12-28T16:21:31Z) - An Empirical Study on Developing Secure Mobile Health Apps: The
Developers Perspective [0.0]
MHealth apps (mHealth apps for short) are becoming integral part of mobile and pervasive computing to improve the availability and quality of healthcare services.
Despite the offered benefits, mHealth apps face a critical challenge, i.e., security of health critical data that is produced and consumed by the app.
Several studies have revealed that security specific issues of mHealth apps have not been adequately addressed.
arXiv Detail & Related papers (2020-08-07T08:23:21Z) - Smart Home, security concerns of IoT [91.3755431537592]
The IoT (Internet of Things) has become widely popular in the domestic environments.
People are renewing their homes into smart homes; however, the privacy concerns of owning many Internet connected devices with always-on environmental sensors remain insufficiently addressed.
Default and weak passwords, cheap materials and hardware, and unencrypted communication are identified as the principal threats and vulnerabilities of IoT devices.
arXiv Detail & Related papers (2020-07-06T10:36:11Z) - Mind the GAP: Security & Privacy Risks of Contact Tracing Apps [75.7995398006171]
Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy.
We demonstrate that in real-world scenarios the GAP design is vulnerable to (i) profiling and possibly de-anonymizing persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts.
arXiv Detail & Related papers (2020-06-10T16:05:05Z) - Decentralized Privacy-Preserving Proximity Tracing [50.27258414960402]
DP3T provides a technological foundation to help slow the spread of SARS-CoV-2.
System aims to minimise privacy and security risks for individuals and communities.
arXiv Detail & Related papers (2020-05-25T12:32:02Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.