Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On the Security and Privacy of AI-based Mobile Health Chatbots

Samuel Wairimu, Leonardo Horn Iwaya

TL;DR

This study empirically evaluates the security and privacy of AI-based mHealth chatbots on Android by conducting manual permission/policy reviews and comprehensive static/dynamic analyses with MobSF across 16 apps. It reveals pervasive issues, including dangerous permission requests, policy non-compliance (notably App7), extensive third-party trackers, manifest and code vulnerabilities, insecure network configurations, and Firebase misconfigurations. The authors provide actionable recommendations—auditing dependencies, clarifying data collection and retention, applying threat modeling, and adopting privacy-by-design practices—to strengthen data handling and transparency for developers and security engineers. The work highlights the practical impact of privacy and security gaps in mHealth chatbots, informing regulators, developers, and users, and sets the stage for future work on algorithmic transparency and usability of these AI-powered health tools.

Abstract

The rise of Artificial Intelligence (AI) has impacted the development of mobile health (mHealth) apps, most notably with the advent of AI-based chatbots used as ubiquitous ``companions'' for various services, from fitness to mental health assistants. While these mHealth chatbots offer clear benefits, such as personalized health information and predictive diagnoses, they also raise significant concerns regarding security and privacy. This study empirically assesses 16 AI-based mHealth chatbots identified from the Google Play Store. The empirical assessment follows a three-phase approach (manual inspection, static code analysis, and dynamic analysis) to evaluate technical robustness and how design and implementation choices impact end users. Our findings revealed security vulnerabilities (e.g., enabling Remote WebView debugging), privacy issues, and non-compliance with Google Play policies (e.g., failure to provide publicly accessible privacy policies). Based on our findings, we offer several recommendations to enhance the security and privacy of mHealth chatbots. These recommendations focus on improving data handling processes, disclosure, and user security. Therefore, this work also seeks to support mHealth developers and security/privacy engineers in designing more transparent, privacy-friendly, and secure mHealth chatbots.

On the Security and Privacy of AI-based Mobile Health Chatbots

TL;DR

This study empirically evaluates the security and privacy of AI-based mHealth chatbots on Android by conducting manual permission/policy reviews and comprehensive static/dynamic analyses with MobSF across 16 apps. It reveals pervasive issues, including dangerous permission requests, policy non-compliance (notably App7), extensive third-party trackers, manifest and code vulnerabilities, insecure network configurations, and Firebase misconfigurations. The authors provide actionable recommendations—auditing dependencies, clarifying data collection and retention, applying threat modeling, and adopting privacy-by-design practices—to strengthen data handling and transparency for developers and security engineers. The work highlights the practical impact of privacy and security gaps in mHealth chatbots, informing regulators, developers, and users, and sets the stage for future work on algorithmic transparency and usability of these AI-powered health tools.

Abstract

The rise of Artificial Intelligence (AI) has impacted the development of mobile health (mHealth) apps, most notably with the advent of AI-based chatbots used as ubiquitous ``companions'' for various services, from fitness to mental health assistants. While these mHealth chatbots offer clear benefits, such as personalized health information and predictive diagnoses, they also raise significant concerns regarding security and privacy. This study empirically assesses 16 AI-based mHealth chatbots identified from the Google Play Store. The empirical assessment follows a three-phase approach (manual inspection, static code analysis, and dynamic analysis) to evaluate technical robustness and how design and implementation choices impact end users. Our findings revealed security vulnerabilities (e.g., enabling Remote WebView debugging), privacy issues, and non-compliance with Google Play policies (e.g., failure to provide publicly accessible privacy policies). Based on our findings, we offer several recommendations to enhance the security and privacy of mHealth chatbots. These recommendations focus on improving data handling processes, disclosure, and user security. Therefore, this work also seeks to support mHealth developers and security/privacy engineers in designing more transparent, privacy-friendly, and secure mHealth chatbots.

Paper Structure

This paper contains 33 sections, 3 figures, 8 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Methodology
  4. Data Collection
  5. Manual Inspection
  6. Manifest Permission Mapping
  7. Assessing Compliance with Google Play Policy
  8. Static code & Dynamic Analyses
  9. Ethical approval
  10. Findings
  11. Manual Analysis
  12. Manifest Permission Mapping
  13. Assessing Compliance with Google Play Policy
  14. Static Code & Dynamic Analysis
  15. Static Code Analysis
  16. ...and 18 more sections