"Your Doctor is Spying on You": An Analysis of Data Practices in Mobile Healthcare Applications

Mobile healthcare (mHealth) applications promise convenient, continuous patient-provider interaction but also introduce severe and often underexamined security and privacy risks. We present an end-to-end audit of 272 Android mHealth apps from Google Play, combining permission forensics, static vulnerability analysis, and user review mining. Our multi-tool assessment with MobSF, RiskInDroid, and OWASP Mobile Audit revealed systemic weaknesses: 26.1% request fine-grained location without disclosure, 18.3% initiate calls silently, and 73 send SMS without notice. Nearly half (49.3%) still use deprecated SHA-1 encryption, 42 transmit unencrypted data, and 6 remain vulnerable to StrandHogg 2.0. Analysis of 2.56 million user reviews found 28.5% negative or neutral sentiment, with over 553,000 explicitly citing privacy intrusions, data misuse, or operational instability. These findings demonstrate the urgent need for enforceable permission transparency, automated pre-market security vetting, and systematic adoption of secure-by-design practices to protect Protected Health Information (PHI).

💡 Research Summary

This paper presents a comprehensive security and privacy audit of 272 Android mobile health (mHealth) applications sourced from Google Play. The authors combine three analytical pillars—static code analysis, permission forensics, and large‑scale user‑review mining—to construct a multidimensional risk profile for each app and to explore the relationship between technical weaknesses and user‑perceived trust.

Methodology
The authors first identified health‑related apps using twenty targeted search terms and collected the top thirty results per term, yielding 292 unique packages. After de‑duplication and integrity verification, 272 APKs were retained for analysis. Three static analysis tools were employed: MobSF for general vulnerability scanning (including manifest inspection, network endpoint detection, and cryptographic assessment), RiskInDroid for mapping declared permissions against actual API calls (highlighting undeclared‑but‑used permissions), and OWASP Mobile Audit for CWE‑aligned SAST, focusing on the OWASP Mobile Top 10 categories. In parallel, 2,564,086 Google Play reviews were scraped, normalized, and subjected to sentiment analysis using TextBlob. Reviews with neutral or negative polarity were further processed with n‑gram frequency and co‑occurrence network analysis, followed by manual thematic coding into privacy, security, performance, usability, data‑collection, and functionality domains.

Key Technical Findings

• Permission Overreach: MobSF identified high‑risk permissions in the majority of apps: POST_NOTIFICATIONS (221 apps), CAMERA (176), WRITE_EXTERNAL_STORAGE (204), READ_EXTERNAL_STORAGE (188), and ACCESS_FINE_LOCATION (146). A total of 529 proprietary or undocumented permissions—often introduced by third‑party SDKs—were detected.
• Undeclared Usage: RiskInDroid analysis of 150 apps revealed that every app used at least one permission without declaring it. Frequently abused undeclared permissions included SEND_SMS, BROADCAST_STICKY, DISABLE_KEYGUARD, READ_PHONE_STATE, and MANAGE_ACCOUNTS.
• Network and Cryptography Issues: 22 apps trusted all TLS certificates, 42 allowed cleartext HTTP traffic, and 2 explicitly disabled certificate pinning. Cryptographic inspection uncovered 58 apps still employing SHA‑1‑RSA signatures, 9 using MD5, and 134 vulnerable to the Janus exploit. Six apps were susceptible to StrandHogg 2.0 task‑hijacking.
• Static Vulnerabilities: OWASP Mobile Audit reported an average of 44 critical findings per app and more than 2,000 high‑severity issues across the sample, with improper credential handling, insecure intent exposure, and lack of input validation topping the list.
• Exported Components: 2,252 instances of exported broadcast receivers and 1,232 exported permissions without protection levels were found, exposing apps to intent‑based attacks.

User‑Review Insights
Sentiment analysis yielded 1,842,381 positive, 297,976 neutral, and 423,729 negative reviews. Among neutral and negative reviews, 553,495 (21.6% of total feedback) explicitly mentioned privacy intrusions, data misuse, or operational instability. Correlation analysis demonstrated statistically significant links between technical flaws and negative sentiment: permission overreach (r = 0.62, p < 0.001), deprecated cryptography (r = 0.54, p < 0.001), and unencrypted transmission (r = 0.47, p < 0.001).

Implications and Recommendations
The study underscores a systemic failure to adhere to the principle of least privilege and secure‑by‑design practices within the mHealth ecosystem. The authors advocate for enforceable permission transparency, mandatory pre‑market security vetting integrated into app‑store pipelines, and regulatory extensions of HIPAA and GDPR to cover all applications handling Protected Health Information (PHI), not only those classified as medical devices. Concrete developer‑oriented recommendations include automated CI/CD checks for over‑privileged permissions, mandatory TLS certificate pinning, migration to SHA‑256 or stronger hash functions, and removal of undocumented SDK‑introduced permissions. For marketplaces, the paper proposes a tiered certification process that blocks apps with critical findings from publication until remediation.

Conclusion
By triangulating static code vulnerabilities, permission misuse, and real‑world user concerns, the paper provides robust evidence that mHealth applications pose substantial privacy and security risks. The strong statistical association between technical deficiencies and user‑perceived trust deficits highlights the urgent need for coordinated technical, policy, and industry actions to safeguard PHI in the rapidly expanding mobile health landscape.