Privacy and Security of Women's Reproductive Health Apps in a Changing Legal Landscape
Shalini Saini, Nitesh Saxena
TL;DR
The paper investigates privacy and security risks in period-tracking and fertility-monitoring apps amid changing abortion laws. It employs a multi-method approach combining manual privacy-policy review, static/dynamic analysis, and MobSF to assess 20 popular Android apps with roughly 144 million downloads. Findings show pervasive collection of PII and sensitive health data, extensive dangerous-permission usage, and OWASP-aligned vulnerabilities, with a substantial attack surface. The work argues for secure-by-design development, enhanced transparency, and cross-sector collaboration to safeguard women's reproductive health data in the post-Roe landscape.
Abstract
FemTech, a rising trend in mobile apps, empowers women to digitally manage their health and family planning. However, privacy and security vulnerabilities in period-tracking and fertility-monitoring apps present significant risks, such as unintended pregnancies and legal consequences. Our approach involves manual observations of privacy policies and app permissions, along with dynamic and static analysis using multiple evaluation frameworks. Our research reveals that many of these apps gather personally identifiable information (PII) and sensitive healthcare data. Furthermore, our analysis identifies that 61% of the code vulnerabilities found in the apps are classified under the top-ten Open Web Application Security Project (OWASP) vulnerabilities. Our research emphasizes the significance of tackling the privacy and security vulnerabilities present in period-tracking and fertility-monitoring mobile apps. By highlighting these crucial risks, we aim to initiate a vital discussion and advocate for increased accountability and transparency of digital tools for women's health. We encourage the industry to prioritize user privacy and security, ultimately promoting a safer and more secure environment for women's health management.