Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

"Your Doctor is Spying on You": An Analysis of Data Practices in Mobile Healthcare Applications

Luke Stevenson, Sanchari Das

TL;DR

This paper conducts a comprehensive, end-to-end audit of $272$ Android mHealth apps, combining static analysis (MobSF, RiskInDroid, OWASP MA) with permission forensics and sentiment analysis of over $2.56$ million user reviews to assess security, privacy, and usability. It reveals systemic weaknesses (undeclared permissions, deprecated cryptography, insecure transport, and misconfigurations) that correlate with substantial negative user sentiment and trust erosion. The study offers concrete, actionable recommendations for secure-by-design practices, automated pre-market vetting, and regulatory reform to protect PHI in the evolving mHealth ecosystem. Its reproducible methodology provides a scalable blueprint for app-store vetting, developer tooling, and socio-technical oversight to enhance privacy transparency and data security.

Abstract

Mobile healthcare (mHealth) applications promise convenient, continuous patient-provider interaction but also introduce severe and often underexamined security and privacy risks. We present an end-to-end audit of 272 Android mHealth apps from Google Play, combining permission forensics, static vulnerability analysis, and user review mining. Our multi-tool assessment with MobSF, RiskInDroid, and OWASP Mobile Audit revealed systemic weaknesses: 26.1% request fine-grained location without disclosure, 18.3% initiate calls silently, and 73 send SMS without notice. Nearly half (49.3%) still use deprecated SHA-1 encryption, 42 transmit unencrypted data, and 6 remain vulnerable to StrandHogg 2.0. Analysis of 2.56 million user reviews found 28.5% negative or neutral sentiment, with over 553,000 explicitly citing privacy intrusions, data misuse, or operational instability. These findings demonstrate the urgent need for enforceable permission transparency, automated pre-market security vetting, and systematic adoption of secure-by-design practices to protect Protected Health Information (PHI).

"Your Doctor is Spying on You": An Analysis of Data Practices in Mobile Healthcare Applications

TL;DR

This paper conducts a comprehensive, end-to-end audit of Android mHealth apps, combining static analysis (MobSF, RiskInDroid, OWASP MA) with permission forensics and sentiment analysis of over million user reviews to assess security, privacy, and usability. It reveals systemic weaknesses (undeclared permissions, deprecated cryptography, insecure transport, and misconfigurations) that correlate with substantial negative user sentiment and trust erosion. The study offers concrete, actionable recommendations for secure-by-design practices, automated pre-market vetting, and regulatory reform to protect PHI in the evolving mHealth ecosystem. Its reproducible methodology provides a scalable blueprint for app-store vetting, developer tooling, and socio-technical oversight to enhance privacy transparency and data security.

Abstract

Mobile healthcare (mHealth) applications promise convenient, continuous patient-provider interaction but also introduce severe and often underexamined security and privacy risks. We present an end-to-end audit of 272 Android mHealth apps from Google Play, combining permission forensics, static vulnerability analysis, and user review mining. Our multi-tool assessment with MobSF, RiskInDroid, and OWASP Mobile Audit revealed systemic weaknesses: 26.1% request fine-grained location without disclosure, 18.3% initiate calls silently, and 73 send SMS without notice. Nearly half (49.3%) still use deprecated SHA-1 encryption, 42 transmit unencrypted data, and 6 remain vulnerable to StrandHogg 2.0. Analysis of 2.56 million user reviews found 28.5% negative or neutral sentiment, with over 553,000 explicitly citing privacy intrusions, data misuse, or operational instability. These findings demonstrate the urgent need for enforceable permission transparency, automated pre-market security vetting, and systematic adoption of secure-by-design practices to protect Protected Health Information (PHI).

Paper Structure

This paper contains 20 sections, 3 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Tools
  4. Mobile Application Privacy and Security
  5. Healthcare Applications
  6. Method
  7. Results
  8. MobSF
  9. RiskInDroid
  10. OWASP Mobile Audit
  11. Review Analysis
  12. Discussion
  13. Implications
  14. Platform Policy Enforcement
  15. By-Design Engineering
  16. ...and 5 more sections

Figures (3)

  • Figure 1: Study design showing data collection, static security analysis (MobSF, RiskInDroid, OWASP), and sentiment-based review analysis.
  • Figure 2: Distribution of dangerous permissions identified across healthcare applications using RiskInDroid.
  • Figure 3: Distribution of dangerous permissions identified across healthcare applications using RiskInDroid.