Abstract
AbstractAn increasing number of mental health services are now offered through mobile health (mHealth) systems, such as in mobile applications (apps). Although there is an unprecedented growth in the adoption of mental health services, partly due to the COVID-19 pandemic, concerns about data privacy risks due to security breaches are also increasing. Whilst some studies have analyzed mHealth apps from different angles, including security, there is relatively little evidence for data privacy issues that may exist in mHealth apps used for mental health services, whose recipients can be particularly vulnerable. This paper reports an empirical study aimed at systematically identifying and understanding data privacy incorporated in mental health apps. We analyzed 27 top-ranked mental health apps from Google Play Store. Our methodology enabled us to perform an in-depth privacy analysis of the apps, covering static and dynamic analysis, data sharing behaviour, server-side tests, privacy impact assessment requests, and privacy policy evaluation. Furthermore, we mapped the findings to the LINDDUN threat taxonomy, describing how threats manifest on the studied apps. The findings reveal important data privacy issues such as unnecessary permissions, insecure cryptography implementations, and leaks of personal data and credentials in logs and web requests. There is also a high risk of user profiling as the apps’ development do not provide foolproof mechanisms against linkability, detectability and identifiability. Data sharing among 3rd-parties and advertisers in the current apps’ ecosystem aggravates this situation. Based on the empirical findings of this study, we provide recommendations to be considered by different stakeholders of mHealth apps in general and apps developers in particular. We conclude that while developers ought to be more knowledgeable in considering and addressing privacy issues, users and health professionals can also play a role by demanding privacy-friendly apps.
Funder
Cyber Security Cooperative Research Centre
Horizon 2020 Framework Programme
Stiftelsen för Kunskaps- och Kompetensutveckling
Region Värmland
Engineering and Physical Sciences Research Council
Karlstad University
Publisher
Springer Science and Business Media LLC
Reference70 articles.
1. Adhikari R, Richards D, Scott K (2014) Security and privacy issues related to the use of mobile health apps. In: 25th Australasian conference on information systems, ACIS 2014, ACIS, pp 1–11
2. Alepis E, Patsakis C (2017) Hey doc, is this normal?: Exploring Android permissions in the post marshmallow era. In: International conference on security, Privacy, and Applied Cryptography Engineering. Springer, pp 53–73
3. Aljedaani B, Ahmad A, Zahedi M, Babar MA (2020) An Empirical study on developing secure mobile health apps: The developers’ perspective. In: 2020 27Th asia-pacific software engineering conference (APSEC). IEEE, pp 208–217
4. Aljedaani B, Babar MA, et al. (2021) Challenges with developing secure mobile health applications: Systematic review. JMIR Mhealth and Uhealth 9(6):e15654
5. Ament C (2017) The ubiquitous security expert: Overconfidence in information security. In: Proceedings of the 38th international conference on information systems (ICIS)
Cited by
21 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献