Popular health apps could have some major security flaws.

Mobile health apps pose unprecedented risk to consumers’ privacy because of their ability to collect highly sensitive and valuable user data, new research shows.

An international team has investigated if and how user data is shared by top rated medicines-related mobile apps. It also sought to characterise privacy risks to app users, both clinicians and consumers.

The researchers found sharing of user data by health apps is routine but far from transparent, and also identified a small number of commercial entities with the ability to aggregate and potentially re-identify user data.

“Privacy regulators should consider that loss of privacy is not a fair cost for the use of digital health services,” said lead author Professor Quinn Grundy.

The research team identified 24 top rated medicines related apps for the Android mobile platform in the United Kingdom, United States, Canada, and Australia. All apps were available to the public; provided information about medicines dispensing, administration, prescribing, or use; and were interactive.

They then ran laboratory-based traffic analysis of each app downloaded onto a smartphone, simulating real world use with four dummy scripts.

Privacy leaks were detected using a technique called Differential Traffic Analysis, explained co-author Dr Ralph Holz from the University of Sydney.

“The idea is to capture a baseline of the normal network data that an app causes, and then change privacy-related settings in the app. The places where the new settings turn up in any fresh network data shows us where and to whom the app is leaking it,” he said.

Of the sampled apps, 79 per cent shared user data outside of the app.

A total of 55 unique entities, owned by 46 parent companies, received or processed this data, including developers, parent companies (first parties) and service providers (third parties).

Third parties also advertised the ability to share user data with 216 ‘fourth parties’ including multinational technology companies, digital advertising companies, telecommunications corporations, and a consumer credit reporting agency.

Only three of these fourth parties could be characterised predominantly as belonging to the health sector.

Several companies, including Alphabet, Facebook, and Oracle, occupied central positions within the network with the ability to aggregate and re-identify user data.

“User data collected from apps providing medicines information or support may also be particularly attractive to cybercriminals or commercial data brokers,” A/Prof Grundy.

“Health professionals need to be aware of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent.”

The full study is accessible here.