1 Introduction
-
Most apps pose linkability, identifiability, and detectability threats. This is a risk as some 3rd-parties can link, re-identify and detect the users’ actions and data. Unawareness is also related to such threats, given that apps do not explain (e.g., in the privacy policy) the risks posed by targeted advertising on people experiencing mental problems and the risk of re-identification and disclosure of mental health conditions (e.g., anxiety, depression).
-
Only 3/27 app developers responded to our query regarding Privacy Impact Assessments (PIAs), mentioning that they had performed a PIA on their app, and only two of them had made the PIA reports public. That suggests a high non-compliance rate since mHealth apps tend to pose high-risk to the rights and freedoms of users.
-
24/27 app privacy policies were found to require at least college-level education to understand them. The remaining 3/27 apps needed 10th–12th-grade level education to understand them. Such findings also suggest further problems with regards to non-compliance, leading to data subject’s unawareness about the nature of the data processing activities in mental health apps, data controllers, and service providers.
-
Static analysis reports show that 20/27 apps are at critical security risk, and 4/27 apps are at high security risk. Many of the issues are revealed through a simple static analysis, such as the use of weak cryptography. Dynamic analysis also shows that some apps transmit and log personal data in plain-text. Four apps can leak such sensitive data to 3rd-parties, exacerbating risks of (re-)identification and information disclosure.
2 Background
2.1 Privacy (and Security)
2.2 The ecosystem of mental health Apps
2.3 The LINDDUN threat taxonomy
-
Linkability: an adversary can link two items of interest (IOI) without knowing the identity of the data subject(s) involved (e.g., service providers are able to link data coming from different apps about the same data subject).
-
Identifiability: an adversary can identify a data subject from a set of data subjects through an IOI (e.g., service providers can re-identity a user based on leaked data, metadata, and unique IDs).
-
Non-repudiation: the data subject cannot deny a claim, such as having performed an action or sent a request (e.g., data and transactions stored by companies and service providers cannot be deleted, revealing the users’ actions).
-
Detectability: an adversary can distinguish whether an IOI about a data subject exists or not, regardless of being able to read the contents itself (e.g., attackers can detect that a user’s device is communicating with mental health services).
-
Disclosure of information: an adversary can learn the content of an IOI about a data subject (e.g., data is transmitted in plain-text).
-
Unawareness: the data subject is unaware of the collection, processing, storage, or sharing activities (and corresponding purposes) of the data subject’s data (e.g., the companies’ privacy policy is not easy to understand and transparent about the nature of data processing).
-
Non-compliance: the processing, storage, or handling of personal data is not compliant with legislation, regulation, and policy (e.g., a company fails to perform a PIA for a privacy-sensitive systems).
2.4 Related work
2.4.1 Security and privacy of mHealth Apps in general
2.4.2 Security and privacy of mental health Apps
Ref | Year | N. of Apps | Condition | PP | PIA | Per | DT | Code | Log | DS | SC | UC | Limitations |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Huang and Bashir (2017) | 2017 | 274 | Anxiety | ✓ | (i) Limited to anxiety apps. (ii) Analyzes only apps’ permissions. | ||||||||
Huckvale et al. (2019) | 2019 | 36 | Depression and smoking cessation | ✓ | ✓ | (i) Limited to depression and smoking cessation apps. (ii) Analyzes only the privacy policies and network traffic. | |||||||
Muchagata and Ferreira (2019) | 2019 | 18 | Dementia | ✓ | ✓ | ✓ | (i) Limited to dementia apps. (ii) Analyzes only PPs and permissions and performs a GDPR compliance check. | ||||||
O’Loughlin et al. (2019) | 2019 | 116 | Depression | ✓ | (i) Limited to depression apps. (ii) Analyzes only the PPs. | ||||||||
Parker et al. (2019) | 2019 | 61 | Mental health | ✓ | ✓ | (i) Analyzes only the apps’ permissions and PPs. | |||||||
Powell et al. (2018) | 2019 | 70 | Diabetes and mental health | ✓ | (i) Analyzes only the complexity of PPs. | ||||||||
Robillard et al. (2019) | 2019 | 369 | Track and mood | ✓ | (i) Analyzes only the PPs and terms of agreement. | ||||||||
Rosenfeld et al. (2017) | 2017 | 33 | Dementia | ✓ | (i) Limited to dementia apps. (ii) Analyzes only the PPs. | ||||||||
This work | 27 | Mental health | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | (i) Limited to top-ranked mental health apps. (ii) PPs analyzed using AI-assisted tools. |
3 Methodology
3.1 Apps selection process
google-play-scraper
Node.js module1, essentially searching for free mental health apps in English (see Fig. 2), and setting the location to Australia.MEDICAL
or HEALTH_AND_FITNESS
. This refinement reduced our sample to 37 Android apps.3.2 Privacy analysis process
3.2.1 Static security analysis
-
Manually evaluate whether or not a “dangerous” permission is required to serve the app’s purpose. For that, MobSF looks into the protection level of a permission that may be specified as
dangerous
3. -
Manually analyze the code snippets that were reported to use insecure random number generators, insecure ciphers and insecure cipher modes.
-
Manually checked the code snippets that used
IvParameterSpec
to test whether Initializing Vectors (IVs) have been correctly used.
3.2.2 Dynamic security analysis
3.2.3 Server-side analysis
3.2.4 Request privacy impact assessment
3.2.5 Readability evaluation of privacy policies
3.2.6 AI-enabled analysis of privacy policies
3.3 Responsible disclosure process
3.4 Mapping findings to LINDDUN
android.permission.READ_PROFILE
, which allows the application to read the user’s profile data. This permission does not seem necessary at installation time nor for the app to function for its specified purposes, thus it was marked as an issue. Having such dangerous permission results in providing too much data (i.e., Unawareness threat). Also, it relates to insufficient notice to users (i.e., Non-compliance threat tree) since the privacy policy could have better explained the need for this dangerous permission. Similarly, the issues regarding the use of insecure PRNGs may lead to insecure security implementations, and thus, weak message confidentiality (i.e., Disclosure of Information threat). These overarching findings are presented in Section 4 along with the results.
WRITE_EXTERNAL_STORAGE
it might leak information to other apps in the device that can also access the external storage. Similarly, when analyzing the reverse-engineered code for insecure implementations, the threats are mainly associated with the Disclosure of Information since improper cryptography weakens an app’s security, leading to confidentiality breaches.4 Results
4.1 Selected mental health Apps
N. of Apps | N. of Downloads |
---|---|
12 | 100,000 - 500,000 |
3 | 500,000 - 1,000,000 |
9 | 1,000,000 - 5,000,000 |
1 | 5,000,000 - 10,000,000 |
2 | 10,000,000+ |
N. of Apps | Tags |
---|---|
22 | Anxiety |
19 | Stress and burnout |
13 | Depression |
13 | Sleep and insomnia |
13 | Journal, diary and daily-planner |
12 | Mood and habit tracker |
10 | Disorders, addiction, bipolar, anger, phobia, eating disorder, negative emotions, mood disorder, self-harm, PTSD, OCD, and ADHD |
8 | Meditation |
8 | Panic attack |
8 | Online therapy, online doctor, and couples therapy |
5 | Chatbot |
5 | Other, e.g., peer-support, pregnancy, pain management, bullying |
4 | Self-esteem |
3 | Mental health assessment, diagnosis, and check symptoms |
4.2 Summary of results according to LINDDUN
App code | L | I | N | D | D | U | N | Total |
---|---|---|---|---|---|---|---|---|
App 1 | 3 | 3 | 3 | 3 | 5 | 5 | 7 | 29 |
App 2 | 2 | 2 | 2 | 2 | 6 | 4 | 5 | 23 |
App 3 | 2 | 2 | 2 | 2 | 7 | 4 | 6 | 25 |
App 4* | – | – | – | – | 4 | 4 | 6 | 14 |
App 5 | 2 | 2 | 2 | 2 | 7 | 4 | 5 | 24 |
App 6* | – | – | – | – | 2 | 4 | 5 | 11 |
App 7 | 3 | 3 | 3 | 3 | 6 | 5 | 7 | 30 |
App 8* | – | – | – | – | 3 | 4 | 6 | 13 |
App 9 | 2 | 2 | 2 | 2 | 6 | 4 | 6 | 24 |
App 10 | 2 | 2 | 2 | 2 | 6 | 4 | 6 | 24 |
App 11 | 3 | 3 | 3 | 3 | 7 | 4 | 5 | 28 |
App 12 | 3 | 3 | 3 | 3 | 6 | 5 | 7 | 30 |
App 13 | 3 | 3 | 3 | 3 | 6 | 5 | 7 | 30 |
App 14 | 3 | 3 | 3 | 2 | 5 | 5 | 7 | 28 |
App 15 | 3 | 3 | 3 | 3 | 6 | 5 | 7 | 30 |
App 16 | 3 | 3 | 3 | 3 | 7 | 5 | 7 | 31 |
App 17 | 3 | 3 | 3 | 3 | 6 | 5 | 7 | 30 |
App 18 | 3 | 3 | 3 | 3 | 7 | 5 | 6 | 30 |
App 19* | – | – | – | – | 2 | 4 | 6 | 12 |
App 20 | 2 | 2 | 2 | 2 | 4 | 3 | 4 | 19 |
App 21* | – | – | – | – | 1 | 4 | 6 | 11 |
App 22* | – | – | – | – | 1 | 4 | 6 | 11 |
App 23 | 3 | 3 | 3 | 3 | 7 | 5 | 7 | 31 |
App 24* | – | – | – | – | 1 | 4 | 6 | 11 |
App 25* | – | – | – | – | 2 | 4 | 6 | 12 |
App 26 | 2 | 2 | 2 | 2 | 4 | 3 | 4 | 19 |
App 27 | 2 | 2 | 2 | 2 | 5 | 4 | 6 | 23 |
Avgs.: | 1.8 | 1.8 | 1.8 | 1.8 | 4.8 | 4.3 | 6.0 | 22.3 |
4.2.1 Linkability threats
4.2.2 Identifiability threats
4.2.3 Non-repudiation threats
N. of Apps | N. of Web Servers |
---|---|
6 | 1-5 |
5 | 6-10 |
6 | 11-20 |
2 | > 20 |
N. of Apps | Domain |
---|---|
18 | google.com |
15 | googleapis.com |
12 | crashlytics.com |
9 | branch.io |
8 | facebook.com |
8 | gstatic.com |
7 | mixpanel.com |
7 | youtube.com |
6 | app-measurement.com |
4.2.4 Detectability threats
4.2.5 Disclosure of information threats
high
reduces 15 points, warning
reduces 10 points, and good
increases 5 points. If the score is greater than 100, then it is kept as 100. If the score is lower than 0, then it is kept as 10. The App Security Score falls into a final risk level, according to the ranges: Critical Risk (0 - 15), High Risk (16 - 40), Medium Risk (41 - 70), and Low Risk (71 - 100). From the beginning of the analysis, the high number of apps in Critical and High Risks suggested that many apps would have problems in terms of permissions, code vulnerabilities, trackers, etc.N. of Apps | Information disclosure issues |
---|---|
19 | Revealing apps’ behaviour, usage, and activities. |
15 | Logging web traffic, parameters, Post value. |
5 | Revealing personal information. |
4 | Revealing tokens and credentials used by the app. |
4.2.6 Unawareness threats
N. of Apps | Dangerous permissions |
---|---|
27 | android.permission.INTERNET |
24 | android.permission.WAKE_LOCK |
23 | com.google.android.finsky.permission- |
.BIND_GET_INSTALL_REFERRER_SERVICE | |
19 | android.permission.WRITE_EXTERNAL_STORAGE |
16 | com.android.vending.BILLING |
13 | android.permission.READ_EXTERNAL_STORAGE |
9 | android.permission.READ_PHONE_STATE |
7 | android.permission.ACCESS_FINE_LOCATION |
6 | android.permission.RECORD_AUDIO |
6 | android.permission.MODIFY_AUDIO_SETTINGS |
6 | android.permission.CAMERA |
6 | android.permission.ACCESS_COARSE_LOCATION |
READ_EXTERNAL_STORAGE
and WRITE_EXTERNAL_STORAGE
are not always needed, but they are dangerous because they grant an app indiscriminate access to the device’s external storage, where a user’s sensitive information may be stored. On average, the apps use 4.1 (std = 7.6) unnecessary dangerous permissions. Even though software developers may have justifiable purposes for requiring such permissions, users must clearly understand them.4.2.7 Non-compliance threats
5 Discussion
Main findings | Threat examples | LINDDUN |
---|---|---|
Finding 01: Out of the 27 top-ranked mental health apps selected, most of them address the conditions of anxiety, stress, burnout and depression. Also, over a third of them address various other mental disorders, e.g., addictions, bipolar, self-harm, PTSD and OCD. Hence, these apps’ processing operations result in “high-risk” to the rights and freedoms of natural persons. | (finding is too general to be mapped) | \(\square \square \square \square \square \square \square \) |
Finding 02: 74% (n = 20) of the apps scored as Critical Risk and 15% (n = 4) as High Risk in the App Security Score during the static analysis. | (finding is too general to be mapped) | \(\square \square \square \square \square \square \square \) |
Finding 03: All apps require dangerous permissions to run. Our manual inspection points to an average of 4 unnecessary dangerous permissions used being used, in which read/write operations to the external storage are of primary concern. | Providing too much personal data (U_1), incorrect or insufficient privacy policies (NC_2), insufficient notice (NC_4). | \(\square \square \square \square \square \blacksquare \blacksquare \) |
Finding 04: Manual verification of the apps’ codes shows a high prevalence of fundamental secure coding problems related to the use of insecure PRNGs (56%), insecure cyphers(56%), insecure cypher modes (26%), and insecure IVs (44%). | Weak message confidentiality (ID_df5). | \(\square \square \square \square \blacksquare \square \square \) |
Finding 05: 96% (n = 26) of the apps contained hard-coded sensitive information like usernames, passwords and keys. | Spoofing an external entity (S), obtain legitimate credentials (S_1). | \(\square \square \square \square \blacksquare \square \square \) |
Finding 06: Two apps reveal user email and credentials in the HTTP header or as GET parameters. | Spoofing an external entity (S), no message confidentiality (ID_df4), no channel confidentiality (ID_df7). | \(\square \square \square \square \blacksquare \square \square \) |
Finding 07: Two apps made a perplexing number of HTTP(S) requests in a short period. | Linkability and identifiability of contextual data (L_df2, I_df2), disclosure of a decrypted log of network connections (NR_df7), timing requests visible (D_df13), unaware of stored data (U_2), insufficient notice (NC_4). | \(\blacksquare \blacksquare \blacksquare \blacksquare \square \blacksquare \blacksquare \) |
Finding 08: User behaviour can also be easily extracted from web traffic logs (i.e., it is easy to perform profiling of mental health apps’ users). | Linkability and identifiability of contextual data (L_df2, I_df2), disclosure of a decrypted log of network connections (NR_df7), timing requests visible (D_df13), unaware of stored data (U_2), insufficient notice (NC_4). | \(\blacksquare \blacksquare \blacksquare \blacksquare \square \blacksquare \blacksquare \) |
Finding 09: 68% (n = 13) of the apps reveal API keys used to access 3rd-party services. | Spoofing an external entity (S), obtain legitimate credentials (S_1). | \(\square \square \square \square \blacksquare \square \square \) |
Finding 10: Most apps try to pseudo-anonymize users through and anonymous IDs or hashed advertisement IDs, but these IDs can still be used to link data among various 3rd-parties. | Linkability and identifiability of contextual data (L_df2, I_df2), person wanting deniability cannot edit database (NR_ds3), timing requests visible (D_df13), unaware of stored data (U_2), insufficient notice (NC_4). | \(\blacksquare \blacksquare \blacksquare \blacksquare \square \blacksquare \blacksquare \) |
Finding 11: Apps communicate with a large number of 3rd-parties, for marketing and advertising, cloud service pro-visioning, and payments services. | Person wanting deniability cannot edit database (NR_ds3), unaware of stored data (U_2), insufficient notice (NC_4). | \(\square \square \blacksquare \square \square \blacksquare \blacksquare \) |
Finding 12: All analyzed apps reveal users’ usage and apps’ behaviour in the Android system logs (i.e., Logcat), which is visible to all applications in the system. | Weak access control to data (base) (I_ds1), bypass protection scheme (ID_ds1), data intelligible (ID_ds2). | \(\square \blacksquare \square \square \blacksquare \square \square \) |
Finding 13: 79% (n = 15) of the apps store data in plain-text in the file system or in databases. | Weak access control to data (base) (I_ds1), unencrypted (ID_ds10). | \(\square \blacksquare \square \square \blacksquare \square \square \) |
Finding 14: 95% (n = 18) of the apps reveal some credentials (e.g., API keys and tokens) in the stored data. | Weak access control to data (base) (I_ds1), obtain legitimate credentials (S_1). | \(\square \blacksquare \square \square \blacksquare \square \square \) |
Finding 15: 79% (n = 15) of the apps’ databases are not encrypted. | Weak access control to data(base) (I_ds1), unencrypted (ID_ds10). | \(\square \blacksquare \square \square \blacksquare \square \square \) |
Finding 16: Twenty apps (75%) did not report whether they conducted or not a PIA, and 4 (15%) apps explicitly declared not conducting a PIA. | No/insufficient feedback and awareness tools (U_3), insufficient notice (NC_4). | \(\square \square \square \square \square \blacksquare \blacksquare \) |
Finding 17: Flesch-Kincaid Reading Ease average is 42 (i.e., Difficult to read) for the cohesiveness and complexity of the apps’ privacy policies. | Incorrect or insufficient privacy policy (NC_2), insufficient notice (NC_4). | \(\square \square \square \square \square \square \blacksquare \) |
Finding 18: An average of 2,7 unfair clauses was revealed for the analyzed privacy policies. | Incorrect or insufficient privacy policy (NC_2), insufficient notice (NC_4). | \(\square \square \square \square \square \square \blacksquare \) |
Finding 19: The average user control score that the apps obtained was 59/100 (std = 15.14), and the average GDPR score was 63.1/100 (std = 31.25). | Incorrect or insufficient privacy policy (NC_2), insufficient notice (NC_4). | \(\square \square \square \square \square \square \blacksquare \) |
Finding 20: 74% (n = 20) of the companies have not replied to the reports sent for responsible disclosure. | No/insufficient feedback and awareness tools (U_3), insufficient notice (NC_4). | \(\square \square \square \square \square \blacksquare \blacksquare \) |
5.1 Privacy impacts of mental health Apps
5.2 Apps’ permissions and data access
READ_EXTERNAL_STORAGE
and WRITE_EXTERNAL_STORAGE
. Based on our manual analysis of apps’ permissions (Section 4.2.6), we noticed that the apps rarely need access to external storage. Thus, these permissions could have been avoided or more carefully used.normal
and dangerous
permissions individually. The system automatically grants the normal permissions, and the users have little to no transparency about them. The dangerous permissions are granted as a group, i.e., the entire permission group CONTACTS
is granted, including permissions GET_CONTACTS
, READ_CONTACTS
, and WRITE_CONTACTS
, instead of letting users grant or deny them separately. Alepis and Patsakis (2017) also stress that even normal permissions can lead to user profiling or leaks of sensitive information (e.g., use GET_PACKAGE_SIZE
to list all the user’s installed apps), or have the potential for accidental or malicious misuse (e.g., use INTERNET
to open network sockets just to fetch ads). However, we assert that it should be the developers’ responsibility to understand the Android’s permission system and appropriately use it in a privacy-preserving manner.5.3 Apps’ security testing & coding
5.4 PIAs, DPIAs, and responsible disclosure
5.5 Privacy policies: transparency, consent and intervenability
uuid
and aaid
). Also, the advanced paradigms of personal advertising, such as cross-device tracking (CDT), are commonly used to monitor users’ browsing on multiple devices and screens for delivering (re-)targeted ads on the most appropriate screen. For instance, if a person downloads an mHealth app on one’s mobile device, it is likely that person will see other ads about mental health in one’s Facebook timeline when using a PC. Researchers have already found that CDT undoubtedly infringes users’ online privacy and minimizes their anonymity (Solomos et al. 2019). Besides, there is a risk of exploitative advertising to individuals who may be vulnerable due to mental health conditions. Such extent of data processing is likely to surprise users (and developers), unaware of privacy risks and impacts. These observations enable us to support the growing arguments that apps development is intrinsically linked to the online advertising businesses, which may give little to no control on the management and utilization of data to those from whom the data is gathered, i.e., end users.6 Limitations
google-play-scraper
to automate the search process. This tool required us to set a specific location for the search, which we defined as Australia. Even though most of the investigated apps come from the regions of North America and Europe, it is important to consider that apps available in Australia might not be representative of the overall Android mHealth apps ecosystem.wrapper
classes and util
methods for the original functionality. Even though using these wrapper
classes and util
methods in security contexts would lead to a security vulnerability, our analysis did not investigate such usages as it would increase the complexity and resources required for the study. We have shared this observation with the studied apps’ development teams as part of the responsible disclosure process with the suggestion to take these points into consideration while reading our findings.7 Conclusion
Organizations | Find. |
→ Undertake a Privacy Impact Assessment – Demonstrate compliance by conducting Privacy Impact Assessment, even if not a full-fledged PIA. There are more concise/simplified methodologies for mHealth. | 16 |
→ Assume Mental Health Apps as High-Risk Systems – Development processes should be fine-tuned to give better emphasis to security and privacy. When developing a health app (or mental health app), higher levels of security and privacy should be considered compared to other general apps. | 1, 8 |
→ Engage with Experts – Better engagement of security and privacy experts in the development and evaluation, as well as in the writing of privacy policies to avoid unfair clauses. | 20 |
→ Write Readable Privacy Policies – Enhance transparency and openness by writing accessible Privacy Policies that truly allow users to understand and make informed decisions. | 17 |
Software developers | Find. |
→ Beware of the Unskilled and Unaware – Likely, app developers do not know the extent of security and privacy risks of using 3rd-party SDKs and APIs. That, matched with the lack of security knowledge, might make them prone to a Dunning-Kruger effect on security knowledge, i.e., overseeing and underestimating security and privacy issues while also overestimating their levels of secure coding abilities (Ament 2017; Wagner and Mesbah 2019). | 4, 5, 6, 9, 12, 13, 14, 15 |
→ Connect the Privacy Policy to the System’s Design – Even though privacy policies are not within the software developers responsibility, they should be familiar with their app’s privacy policy and terms of service. Interact with lawyers (or whoever is responsible for writing and updating the privacy policy) whenever necessary to correct information on data collection, purpose limitation and specification, and ensure security and privacy by design. | 17, 18, 19 |
→ Engineer Privacy By Design and By Default (Art. 25 GDPR (European Commission 2016)) – Software developers should be aware that the GDPR states that “controller shall implement appropriate technical and organisational measures”. Even though implementing the “state-of-the-art” is not always “technically” possible in all organisations and systems, vulnerabilities related to very basic secure coding practices are rather concerning. | 2, 4, 7, 9, 13, 14, 15 |
→ Collect Valid Consent with Responsible On-boarding – Even though the use of proper consent mechanisms may add friction to the on-boarding process, mental health apps rely on user consent to operate, so it is important that valid consent is being collected. After consent, apps should operate in the most privacy-preserving way by default (e.g., no advertising), and the consent withdrawal should be as easy as providing consent. | 8, 10, 11, 18 |
End-users and Health Practitioners | Find. |
→ Stand Up for Your Rights – Users that value their privacy can exercise rights by requesting more privacy-friendly apps. Users can question the current privacy policies and consent mechanisms. Request access to their data and better information on the nature of the data processing. | 10, 11, 16, 19 |
→ Recommend Reputable Apps for Mental Health – Health practitioners should encourage their patients to take higher control over their treatment and journey towards better mental health. Mental health apps can help with that, but practitioners should pay careful attention and recommend only apps that respect users’ privacy. | 16, 19 |
Mobile App Distribution Platforms | Find |
→ Raise the Bar for High-Risk Apps – App distributors could require better privacy measurements to be put in place. Distributors could also categorise high-risk apps, adding filters for health genre apps. | 1, 16 |
→ Enhance Trust and Transparency (Bal and Rannenberg 2014) – App distributors could also add useful privacy information about apps, especially about privacy consequences to support decision-making, and add privacy ratings for apps based on their data-access profiles and purposes of data access. | 8, 10, 11, 12 |
Smartphone Platform Providers | Find. |
→ Call for Privacy-Friendly System Apps and API Frameworks (Bal and Rannenberg 2014) – Smartphone providers could develop common systems to keep track of sensitive information flows, as well as to communicate observed behaviour to users, and provide developers with standardised ways to explain permission requests. | 3 |