Studies have shown that tracking your daily activity and health progress increases energy levels, decreases stress, and lowers blood pressure. In addition, due to mobile technology innovations, mobile health apps have become more accessible.
Statista data indicates that the Apple App Store and Google Play Store have 99,366 mHealth apps for Android and iPhone users. For example, Strava, Unmind, Nutrimedy, Kardia Mobile, iExaminer, and Fitbit have over 42 million users worldwide.
Health and fitness apps are great for tracking your health goals and fitness milestones. Boys’ Baseball Coach Nick Skala stated that apps like Fitocracy and Argus offer various utilities, such as cardio and strength workouts, fitness programs, and tutorials.
The apps work by users putting in their personal information, such as gender, birth control, medical conditions, home addresses, prescription drugs consumed, and email information, so that the apps may lead to privacy issues. They also collect heart rate, steps taken, travel details, sleeping time, and weight fluctuations.
Researchers have warned that mobile health (mHealth) apps sometimes have issues with information confidentiality. Computing lecturer Muhammad Ikram concluded that medical practitioners should know about privacy issues and inform their patients when recommending these apps.
The researchers checked many free health apps, such as calorie trackers, menstruation monitors, and step counters available on the Google Play store. They discovered that 88% of them could share confidential data.
Arxan Technologies analyzed 71 of the FDA and NHS-approved fitness apps in the USA, Japan, the UK, and Germany using Mi3 security technology. They tested every application for susceptibility to data leaks and malware. The findings were that 86% of them are susceptible to two or more risks.
Other discoveries include that 56% of personal data were from third-party services, including analytics, advertisers, push-notification services, provider trackers, and 23% of transmissions from unsafe communication channels.
In addition, Canadian researchers suggested more thorough scrutiny, accountability, and regulation of these apps from their creators, data managers, and digital advertisers.
Medical News Today interviewed Lee Chambers, and he stated that even though mHealth apps are generally positive, they need to improve on functionality, privacy clarity, trust, and content assurance.
84% of consumers assume that the apps have been carefully tested for security risks, so they are secure, and 63% of users believe that the app developers maintain security regularly.
However, Patrick Kehoe, Arxan Technologies CIO, showed concern on how many developers release their fitness apps without self-protection security elements.
A study done at Macquarie University in Australia also indicated that 88% of mHealth apps available on the Google Play Store serve the purpose of harvesting consumer information.
What are the Security Vulnerabilities in Health Apps?
The main vulnerability in mobile health applications is no binary code safety, which means that attackers can easily reverse-engineer them and modify the code.
Alisa Knight from Aite Group, an advisory company, said that lack of application shielding is extremely careless because it risks intellectual property and increases piracy.
Another huge vulnerability is weak transport layer safety, which causes exposure to untrustworthy third parties. For example, if a developer misconfigures the transport layer, the app becomes vulnerable to interception. Also, without encryption, an attacker can access confidential data, including usernames, passwords, and emails.
In addition, these apps collect data cookies, email addresses, device identifiers, contact information, and location, which track the user’s online activity. Fitness apps also share real-time data with law firms and social networks such as Instagram and Facebook, which use the information to send users targeted adverts.
Another security issue is the lack of accountability in privacy policies, which undermines privacy. Most of these apps will declare pages of privacy policies with no intention of following them.
In addition, the privacy policies are unclear and misleading, especially about not specifying who they share customer data with. An example is the HealthEngine app, where they asked users if they had recently been in car accidents or gotten injured at work. The app divulged the information to injury lawyers without consumers’ consent.
Another example is ovulation monitor apps like Maya, MIA Fem, and Flo, which have vague informed consent policies. Privacy International exposed these apps for sharing data with third parties such as Facebook. The information shared included contraception method, mood data, and sexual activity.
Outdated software also creates security holes that hackers can breach and get access to user data. An example is MyFitnessPal, which in 2018 exposed 150 million users’ sensitive data, including usernames and emails. Allowing users to input weak passwords also puts their information at risk.
These mHealth apps also neglect to inform their users to update their smartphone’s privacy settings to avoid exposing their data. An example is Strava, which uses a “FlyBy” feature to allow users to see the location of other runners, which can put their lives at risk. Also, MapMyRun and Nike+Run have these tracking features.
How Can mHealth Apps Improve their Data Safety for Consumers?
Users should set strong passwords for their fitness apps, so the apps should deny weak, easy-to-guess passwords. Also, better options include giving users a one-time password or a password manager.
Another safety measure is two-factor authentication. Health apps should offer extra security by giving users a 2FA system, where they have to input a password and a mobile phone number before gaining access to their account.
Controlling cookies is vital for data security. mHealth apps should present users with cookie warnings to choose which cookies they want to be active when using the app. Fitness applications should also block third-party cookies automatically.
These apps should have precise user agreements where they specify the third parties they share information with, the amount of data collected, how long they will keep the collected user information, arbitration clause, and if users can get the data back.
In addition, they should allow users to limit the information they share. For example, if a person only wants to track their calorie input and steps for an app with many options, they can turn off the sleep and heartbeat trackers.