We present a large-scale security analysis of mHealth apps, performed through automated app collection and analysis tools on more than 20,000 mHealth apps available on Google Play and accessible from Australia. Our goal is to provide a comprehensive view of mHealth app security, spanning from the verification of app sources and protection of app communications, to the presence of malicious activities in the apps and the risks of over-privileged apps.
Our analysis found that mHealth apps are still far from offering robust security guarantees. Notably, 2.8% of mHealth apps package suspicious codes (e.g., trojan). Moreover, 45% of mHealth apps rely on unencrypted communication, and as much as 23% of personal data (e.g., gps location) is sent on plaintext traffic. Users reviews reveal that mHealth app users are largely unaware of the security issues surfaced in this work.
App users, clinicians, technology developers, and policy-makers should be cognisant of the uncovered security vulnerabilities and weigh them carefully against the benefits offered by the apps.
Our paper is submitted to the JAMIA Journal, 2021. You can contact us on the following email for if you want to use our collected dataset, analysis scripts, or interested in our full paper.
A sample of dataset and scripts used in this paper is hosted at on Google Drive.
MhealthAppSec: mhealthappsec [at] yahoo.com or gioacchino.tangari[at]mq.edu.au or muhammad.ikram[at]mq.edu.au