Nine out of 10 mobile health apps collect and track user data, according to a new global study, reports The Guardian.
The research published in the British Medical Journal is based on in-depth analysis of more than 20,000 mobile health apps on the Google Play Store. It found many of these require users to disclose sensitive health information, including step and calorie counters, apps that manage health conditions, symptom checkers and menstruation trackers.
Muhammad Ikram, a lecturer at the Macquarie University Cyber Security Hub, said the vast majority (88%) were using “tracking identifiers and cookies to track user activities on mobile devices, and some of these applications are actually using tracking across different platforms”.
Additionally, 28% of health apps did not provide any sort of privacy statement on Google Play about what was being collected, which is against the store’s terms of service.
Research found that about two-thirds could collect advertising identifiers or cookies, one-third could collect a user’s email address, and about a quarter could identify the mobile phone tower to which a user’s device was connected, potentially providing information on the user’s location.
Commenting on this is Tom Davison, Technical Director at Lookout says:
“Mobile devices offer a plethora of tracking functionality making them a rich source of data, much of it personal or personally identifying, especially when correlated with additional data sources. It is precisely the richness of this data that makes many apps so appealing and useful to consumers. However, awareness from users about how they are trading data for functionality remains woefully low.
“Mobile apps make use of robust permissions models, provided by Apple and Google, in order to control access to data and sensor information. The real challenge is that in order to use an app, users effectively have no choice but to accept permissions and agree to terms and conditions. As such, most do this with no real consideration as to what they are signing up to or the potential implications. Indeed most users are not equipped or prepared to sift through the legalese to fully understand the trade-offs.
“Of course, once a permission is accepted by the user it is in place for as long as the app resides on the device. Most apps update frequently, bringing new functionality and data handling capabilities, and it is incumbent on the developer to notify the user and gain agreement to updated privacy policies.
“Regulations such as GDPR have definitely improved matters and helped raise awareness of privacy. However, it is challenging for regulations to keep pace with the speed of developments in mobile hardware and software and the ways in which data can be collected and shared.”
The full story can be found here: https://www.theguardian.com/