Macquarie Uni researchers find an oversharing of personal data in health apps

88% of the free health-related apps on Google Play probed by researchers could access and potentially share personal data.
Written by Asha Barbaschow, Contributor
Image: Getty Images

Researchers from Macquarie University have found what they labelled as serious problems with privacy and inconsistent privacy practices in health apps.

The researchers estimated that just over 99,000 apps out of the 2.8 million on Google Play and 1.96 million on the Apple App Store relate to health and fitness. They include the management of health conditions and symptom checking, as well as step and calorie counters and menstruation trackers.

They probed 15,000 free health apps in the Google Play store and compared their privacy practices with a random sample of more than 8,000 non-health apps. They found that while these apps collected less user data than other types of mobile apps, 88% could access and potentially share personal data.

"For example, about two thirds could collect advert identifiers or cookies, one third could collect a user's email address, and about a quarter could identify the mobile phone tower to which a user's device is connected, potentially providing information on the user's geolocation," the researchers wrote in a study published by The BMJ.

See also: Fertility-tracking app Flo Health settles FTC allegations of inappropriate data sharing

Only 4% of the health-related apps actually transmitted data, which was mostly user's name and location information.

"This percentage is substantial and should be taken as a lower bound for the real data transmissions performed by the apps," they added.

The analysis of app files and code identified 65,068 data collection operations; on average four for each app.

Analysis of app traffic identified 3,148 transmissions of user data across 616 different apps. The main types of data collected by these apps include contact information, user location, and several device identifiers such as IMEI, MAC address, and IMSI, which is an international mobile subscriber identity.


Privacy analysis of mobile health apps

Image: Macquarie University

87.5% of data collection operations and 56% of user data transmissions were on behalf of third-party services, such as external advertisers, analytics, and tracking providers, the research found. 23% of user data transmissions occurred on insecure communication channels, they added.

665 unique third party entities were identified but those responsible for most of the data collection operations, the researchers said, were the likes of Google, Facebook, and Yahoo!.

"The apps collected user data on behalf of hundreds of third parties, with a small number of service providers accounting for most of the collected data," the research says.

The researchers also found that 28% -- 5,903 -- of the apps it analysed did not offer any privacy policy text, and at least 25% -- 15,480 -- of user data transmissions violated what was stated in the privacy policies.

"Mobile apps are fast becoming sources of information and decision support tools for both clinicians and patients," the researchers concluded.

"Such privacy risks should be articulated to patients and could be made part of app usage consent.

"We believe the trade-off between the benefits and risks of 'mHealth' apps should be considered for any technical and policy discussion surrounding the services provided by such apps."


Apple's new privacy tool lets you choose which apps can see and share your data. Here's what you need to know

The Cupertino giant has announced a new privacy feature coming next spring, which will let users make their own data choices.

Google says iOS privacy summaries will arrive when its apps are updated

Search and advertising giant says it is working to 'understand and comply' with Apple's upcoming changes to app tracking.

These dating apps are tracking your location

While dating apps are a simple click away on the app stores, as soon as you download them, they become a treasure trove of personal information that can be used against you.

Contact-tracing apps: Android phones were leaking sensitive data, find researchers

Android phones have been keeping track of contact-tracing apps' data in system logs, which some third-party apps can easily access.

Editorial standards