Researchers from Macquarie University have found what they labelled as serious problems with privacy and inconsistent privacy practices in health apps.
The researchers estimated that just over 99,000 apps out of the 2.8 million on Google Play and 1.96 million on the Apple App Store relate to health and fitness. They include the management of health conditions and symptom checking, as well as step and calorie counters and menstruation trackers.
They probed 15,000 free health apps in the Google Play store and compared their privacy practices with a random sample of more than 8,000 non-health apps. They found that while these apps collected less user data than other types of mobile apps, 88% could access and potentially share personal data.
"For example, about two thirds could collect advert identifiers or cookies, one third could collect a user's email address, and about a quarter could identify the mobile phone tower to which a user's device is connected, potentially providing information on the user's geolocation," the researchers wrote in a study published by The BMJ.
Only 4% of the health-related apps actually transmitted data, which was mostly user's name and location information.
"This percentage is substantial and should be taken as a lower bound for the real data transmissions performed by the apps," they added.
The analysis of app files and code identified 65,068 data collection operations; on average four for each app.
Analysis of app traffic identified 3,148 transmissions of user data across 616 different apps. The main types of data collected by these apps include contact information, user location, and several device identifiers such as IMEI, MAC address, and IMSI, which is an international mobile subscriber identity.
87.5% of data collection operations and 56% of user data transmissions were on behalf of third-party services, such as external advertisers, analytics, and tracking providers, the research found. 23% of user data transmissions occurred on insecure communication channels, they added.
665 unique third party entities were identified but those responsible for most of the data collection operations, the researchers said, were the likes of Google, Facebook, and Yahoo!.
"The apps collected user data on behalf of hundreds of third parties, with a small number of service providers accounting for most of the collected data," the research says.
"Mobile apps are fast becoming sources of information and decision support tools for both clinicians and patients," the researchers concluded.
"Such privacy risks should be articulated to patients and could be made part of app usage consent.
"We believe the trade-off between the benefits and risks of 'mHealth' apps should be considered for any technical and policy discussion surrounding the services provided by such apps."