"Your Doctor is Spying on You": An Analysis of Data Practices in Mobile Healthcare Applications

• URL: http://arxiv.org/abs/2510.06015v1
• Date: Tue, 07 Oct 2025 15:12:48 GMT
• Title: "Your Doctor is Spying on You": An Analysis of Data Practices in Mobile Healthcare Applications
• Authors: Luke Stevenson, Sanchari Das,
• Abstract summary: We present an end-to-end audit of 272 Android mHealth apps from Google Play.<n>Our multi-tool assessment with MobSF, RiskInDroid, and silently Mobile Audit revealed systemic weaknesses.
• Score: 9.133320151595084
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Mobile healthcare (mHealth) applications promise convenient, continuous patient-provider interaction but also introduce severe and often underexamined security and privacy risks. We present an end-to-end audit of 272 Android mHealth apps from Google Play, combining permission forensics, static vulnerability analysis, and user review mining. Our multi-tool assessment with MobSF, RiskInDroid, and OWASP Mobile Audit revealed systemic weaknesses: 26.1% request fine-grained location without disclosure, 18.3% initiate calls silently, and 73 send SMS without notice. Nearly half (49.3%) still use deprecated SHA-1 encryption, 42 transmit unencrypted data, and 6 remain vulnerable to StrandHogg 2.0. Analysis of 2.56 million user reviews found 28.5% negative or neutral sentiment, with over 553,000 explicitly citing privacy intrusions, data misuse, or operational instability. These findings demonstrate the urgent need for enforceable permission transparency, automated pre-market security vetting, and systematic adoption of secure-by-design practices to protect Protected Health Information (PHI).

Related papers

• MAGPIE: A benchmark for Multi-AGent contextual PrIvacy Evaluation [61.92403071137653]
  Existing privacy benchmarks only focus on simplistic, single-turn interactions where private information can be trivially omitted without affecting task outcomes.<n>We introduce MAGPIE, a novel benchmark designed to evaluate privacy understanding and preservation in multi-agent collaborative, non-adversarial scenarios.<n>Our evaluation reveals that state-of-the-art agents, including GPT-5 and Gemini 2.5-Pro, exhibit significant privacy leakage.
  arXiv  Detail & Related papers  (2025-10-16T23:12:12Z)
• Agentic Discovery and Validation of Android App Vulnerabilities [8.298163888812233]
  Existing Android vulnerability detection tools overwhelm teams with thousands of low-signal warnings.<n>Analysts spend days triaging these results, creating a bottleneck in the security pipeline.<n>We introduce A2, a system that mirrors how security experts analyze and validate Android vulnerabilities.
  arXiv  Detail & Related papers  (2025-08-29T12:32:35Z)
• SafeArena: Evaluating the Safety of Autonomous Web Agents [65.49740046281116]
  LLM-based agents are becoming increasingly proficient at solving web-based tasks.<n>With this capability comes a greater risk of misuse for malicious purposes.<n>We propose SafeArena, the first benchmark to focus on the deliberate misuse of web agents.
  arXiv  Detail & Related papers  (2025-03-06T20:43:14Z)
• Security Analysis of Top-Ranked mHealth Fitness Apps: An Empirical Study [0.32885740436059047]
  We investigate the security vulnerabilities of ten top-ranked Android health and fitness apps, a set that accounts for 237 million downloads. Our findings revealed many vulnerabilities, such as insecure coding, hardcoded sensitive information, over-privileged permissions, misconfiguration, and excessive communication with third-party domains.
  arXiv  Detail & Related papers  (2024-09-27T08:11:45Z)
• Assessing Privacy Compliance of Android Third-Party SDKs [16.975384208528972]
  Third-party Software Development Kits (SDKs) are widely adopted in Android app development.<n>This convenience raises substantial concerns about unauthorized access to users' privacy-sensitive information.<n>Our study offers a targeted analysis of user privacy protection among Android third-party SDKs.
  arXiv  Detail & Related papers  (2024-09-16T15:44:43Z)
• PrivacyLens: Evaluating Privacy Norm Awareness of Language Models in Action [54.11479432110771]
  PrivacyLens is a novel framework designed to extend privacy-sensitive seeds into expressive vignettes and further into agent trajectories.<n>We instantiate PrivacyLens with a collection of privacy norms grounded in privacy literature and crowdsourced seeds.<n>State-of-the-art LMs, like GPT-4 and Llama-3-70B, leak sensitive information in 25.68% and 38.69% of cases, even when prompted with privacy-enhancing instructions.
  arXiv  Detail & Related papers  (2024-08-29T17:58:38Z)
• Protect Your Score: Contact Tracing With Differential Privacy Guarantees [68.53998103087508]
  We argue that privacy concerns currently hold deployment back. We propose a contact tracing algorithm with differential privacy guarantees against this attack. Especially for realistic test scenarios, we achieve a two to ten-fold reduction in the infection rate of the virus.
  arXiv  Detail & Related papers  (2023-12-18T11:16:33Z)
• Mobile Mental Health Apps: Alternative Intervention or Intrusion? [2.131521514043068]
  Mobile Mental Health (MMH) apps emerge as an effective alternative to assist with a broad range of psychological disorders. The absence of a transparent privacy policy and lack of user awareness may pose a significant threat to undermining the applicability of such tools. Our results indicate that apps' exploitable flaws, dangerous permissions, and insecure data handling pose a potential threat to the users' privacy and security.
  arXiv  Detail & Related papers  (2022-06-21T21:05:54Z)
• On the Privacy of Mental Health Apps: An Empirical Investigation and its Implications for Apps Development [14.113922276394588]
  This paper reports an empirical study aimed at systematically identifying and understanding data privacy incorporated in mental health apps. We analyzed 27 top-ranked mental health apps from Google Play Store. The findings reveal important data privacy issues such as unnecessary permissions, insecure cryptography implementations, and leaks of personal data and credentials in logs and web requests.
  arXiv  Detail & Related papers  (2022-01-22T09:23:56Z)
• Mind the GAP: Security & Privacy Risks of Contact Tracing Apps [75.7995398006171]
  Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy. We demonstrate that in real-world scenarios the GAP design is vulnerable to (i) profiling and possibly de-anonymizing persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts.
  arXiv  Detail & Related papers  (2020-06-10T16:05:05Z)
• Decentralized Privacy-Preserving Proximity Tracing [50.27258414960402]
  DP3T provides a technological foundation to help slow the spread of SARS-CoV-2. System aims to minimise privacy and security risks for individuals and communities.
  arXiv  Detail & Related papers  (2020-05-25T12:32:02Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.