Forensic Taxonomy of Popular Android mHealth Apps

Mobile health applications (or mHealth apps, as they are commonly known) are increasingly popular with both individual end users and user groups such as physicians. Due to their ability to access, store and transmit personally identifiable and sensitive information (e.g. geolocation information and personal details), they are potentially an important source of evidentiary materials in digital investigations. In this paper, we examine 40 popular Android mHealth apps. Based on our findings, we propose a taxonomy incorporating artefacts of forensic interest to facilitate the timely collection and analysis of evidentiary materials from mobile devices involving the use of such apps. Artefacts of forensic interest recovered include user details and email addresses, chronology of user locations and food habits. We are also able to recover user credentials (e.g. user password and four-digit app login PIN number), locate user profile pictures and identify timestamp associated with the location of a user.

💡 Research Summary

The paper investigates the forensic potential of popular Android mobile health (mHealth) applications, focusing on the types of artefacts that can be recovered from a device and proposing a structured taxonomy to guide investigators. The authors selected 40 widely used Android mHealth apps from the Google Play Store based on download counts, user ratings, and category diversity (fitness tracking, diet management, sleep monitoring, tele‑medicine, etc.). Each app was installed on a rooted Android 10 device and operated under realistic user scenarios for two weeks. After the usage period, the researchers extracted internal data using ADB commands, pulled SQLite databases, SharedPreferences files, cache directories, and log files, and processed the raw data with Python scripts to automate keyword and pattern searches.

The analysis revealed a rich set of forensic artefacts across all apps. Personal identifying information (PII) such as user name, email address, and phone number was frequently stored in plain text or weakly hashed form. Authentication data—including user passwords and four‑digit PINs—was often found in SharedPreferences without strong encryption. Location data appeared as GPS coordinates with timestamps in logs or dedicated tables, enabling reconstruction of a user’s movement history. Health‑related records (diet entries, exercise logs, sleep patterns) were stored in structured tables containing timestamps, calorie counts, distance travelled, heart‑rate measurements, and other metrics, allowing a chronological view of the user’s lifestyle. Profile pictures were cached as JPEG/PNG files, sometimes containing EXIF metadata with capture dates and geotags.

A subset of apps employed stronger encryption (e.g., AES‑256) for their databases. The authors demonstrated that encryption keys were typically stored in the Android keystore; by extracting the keystore from a rooted device or reverse‑engineering the app’s decryption routine, they could recover the keys and decrypt the databases. The study also highlighted the impact of Android’s Scoped Storage model (introduced in Android 11), which restricts access to external storage and forces forensic tools to rely on internal app directories and backup files unless elevated privileges are obtained.

Based on the observed artefacts, the authors constructed a forensic taxonomy consisting of four primary dimensions: (1) User Authentication (passwords, PINs, token files), (2) Location & Time (GPS logs, Wi‑Fi scans, timestamps), (3) Health & Behaviour (diet, exercise, sleep, biometric measurements), and (4) Multimedia (profile pictures, audio recordings). Each dimension is further divided into sub‑categories (e.g., Authentication‑Password, Authentication‑PIN, Location‑GPS, Location‑Wi‑Fi, Health‑Diet, Health‑Exercise, Multimedia‑ProfileImage). This taxonomy serves as a practical checklist for investigators, indicating which artefact types should be prioritized during evidence collection and how they interrelate for cross‑validation (e.g., confirming a location claim with both GPS logs and timestamped photos).

The paper’s contributions are threefold: (i) it provides the first systematic catalogue of forensic artefacts across a sizable sample of popular Android mHealth apps; (ii) it analyses the variability in storage structures and encryption practices, outlining the technical challenges that investigators may encounter; and (iii) it delivers a reusable taxonomy that can standardise evidence‑gathering workflows for mHealth‑related investigations. The authors argue that mHealth apps are high‑value sources of evidence because they simultaneously contain personal health data, location history, and authentication credentials. They recommend that forensic practitioners collect both memory dumps and persistent storage artefacts to verify sensitive data such as passwords and PINs.

In conclusion, the study confirms that Android mHealth applications expose a wealth of personally identifiable and health‑related information that can be leveraged in digital investigations. The proposed taxonomy offers a clear, actionable framework for timely collection, preservation, and analysis of such evidence. Future work suggested includes extending the methodology to iOS mHealth apps, examining server‑side logs and cloud backups, and evaluating the taxonomy’s applicability in real‑world law‑enforcement cases.