Nine out of 10 health apps are covertly harvesting user data

• Over a quarter of health apps were found not adhering to Google Play Store’s terms of service, failing to list the data being collected
• But only 4% of mobile health apps actually transmitted data to a third party – usually a user’s name and location information
• Google says it is taking action against offending apps

Permissions on Android smartphone applications are intended to be gatekeepers for how much data your device gives up. Yet even when users select ‘no’, many apps find a way to store intrusive files. Most recently, researchers discovered more than 20,000 mobile health apps on the Google Play Store collect and track user data.

The research published in the British Medical Journal carried out in-depth analysis of over 20,000 mobile health apps on the Google Play Store, some of which require users to disclose sensitive health information including real-time data like step and calorie counters, along with apps that manage health conditions, symptom checkers and menstruation trackers.

The study’s co-author and a lecturer at the Macquarie University Cyber Security Hub, Muhammad Ikram told The Guardian the vast majority (88%) were using “tracking identifiers and cookies to track user activities on mobile devices, and some of these applications are actually using tracking across different platforms”. Additionally, 28% of health apps did not provide any sort of privacy statement on Google Play about what was being collected, which is against the Play Store’s terms of service.

Breach of privacy by the health apps

As of 2021, almost 2.87 million apps were available on the Google Play Store alone, according to the research report, with two popular apps listed under the categories of medical, and health and fitness. “Although the potential of mHealth [mobile health] apps to improve access to real-time monitoring and health care resources is well established, they pose problems concerning data privacy. [This is] because of the sensitive information they can access, the use of a business model that is centered on selling subscriptions or sharing user data, and the lack of enforcement of privacy standards around the world.”

The research also found that about two-thirds could collect advertising identifiers or cookies, one-third could collect a user’s email address, and about a quarter could identify the mobile phone tower to which a user’s device was connected, potentially providing information on the user’s location. However, only 4% of mobile health apps actually transmitted data to a third party – usually a user’s name and location information.

Ikram added that some of these details are used for tracking and profiling purposes, and are actually collected by third parties like advertisers. Calling it a “form of data mining” Ikram said the data collection is done without user consent and is being done both “explicitly and implicitly.”

A Google spokesperson informed Guardian that they are reviewing the report and will take action if they find any apps in violation of their policies. The report also commended the European General Data Protection Regulation, “which has improved transparency around apps’ data collection and sharing practices and requires specific measures to ensure active consent to data sharing”. On top of these statistics, researchers also found only 1.3% (3,609) of user reviews raised concerns about privacy.

The report concluded that “this analysis found serious problems with privacy and inconsistent privacy practices in mHealth apps. Clinicians should be aware of these and articulate them to patients when determining the benefits and risks of mHealth apps.”