Cargando…
On the privacy of mental health apps: An empirical investigation and its implications for app development
An increasing number of mental health services are now offered through mobile health (mHealth) systems, such as in mobile applications (apps). Although there is an unprecedented growth in the adoption of mental health services, partly due to the COVID-19 pandemic, concerns about data privacy risks d...
| Autores principales: | , , , |
|---|---|
| Formato: | Online Artículo Texto |
| Lenguaje: | English |
| Publicado: |
Springer US
2022
|
| Materias: | |
| Acceso en línea: | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9643945/ https://www.ncbi.nlm.nih.gov/pubmed/36407814 http://dx.doi.org/10.1007/s10664-022-10236-0 |
| _version_ | 1784826633847308288 |
|---|---|
| author | Iwaya, Leonardo Horn Babar, M. Ali Rashid, Awais Wijayarathna, Chamila |
| author_facet | Iwaya, Leonardo Horn Babar, M. Ali Rashid, Awais Wijayarathna, Chamila |
| author_sort | Iwaya, Leonardo Horn |
| collection | PubMed |
| description | An increasing number of mental health services are now offered through mobile health (mHealth) systems, such as in mobile applications (apps). Although there is an unprecedented growth in the adoption of mental health services, partly due to the COVID-19 pandemic, concerns about data privacy risks due to security breaches are also increasing. Whilst some studies have analyzed mHealth apps from different angles, including security, there is relatively little evidence for data privacy issues that may exist in mHealth apps used for mental health services, whose recipients can be particularly vulnerable. This paper reports an empirical study aimed at systematically identifying and understanding data privacy incorporated in mental health apps. We analyzed 27 top-ranked mental health apps from Google Play Store. Our methodology enabled us to perform an in-depth privacy analysis of the apps, covering static and dynamic analysis, data sharing behaviour, server-side tests, privacy impact assessment requests, and privacy policy evaluation. Furthermore, we mapped the findings to the LINDDUN threat taxonomy, describing how threats manifest on the studied apps. The findings reveal important data privacy issues such as unnecessary permissions, insecure cryptography implementations, and leaks of personal data and credentials in logs and web requests. There is also a high risk of user profiling as the apps’ development do not provide foolproof mechanisms against linkability, detectability and identifiability. Data sharing among 3rd-parties and advertisers in the current apps’ ecosystem aggravates this situation. Based on the empirical findings of this study, we provide recommendations to be considered by different stakeholders of mHealth apps in general and apps developers in particular. We conclude that while developers ought to be more knowledgeable in considering and addressing privacy issues, users and health professionals can also play a role by demanding privacy-friendly apps. SUPPLEMENTARY INFORMATION: The online version contains supplementary material available at 10.1007/s10664-022-10236-0. |
| format | Online Article Text |
| id | pubmed-9643945 |
| institution | National Center for Biotechnology Information |
| language | English |
| publishDate | 2022 |
| publisher | Springer US |
| record_format | MEDLINE/PubMed |
| spelling | pubmed-96439452022-11-14 On the privacy of mental health apps: An empirical investigation and its implications for app development Iwaya, Leonardo Horn Babar, M. Ali Rashid, Awais Wijayarathna, Chamila Empir Softw Eng Article An increasing number of mental health services are now offered through mobile health (mHealth) systems, such as in mobile applications (apps). Although there is an unprecedented growth in the adoption of mental health services, partly due to the COVID-19 pandemic, concerns about data privacy risks due to security breaches are also increasing. Whilst some studies have analyzed mHealth apps from different angles, including security, there is relatively little evidence for data privacy issues that may exist in mHealth apps used for mental health services, whose recipients can be particularly vulnerable. This paper reports an empirical study aimed at systematically identifying and understanding data privacy incorporated in mental health apps. We analyzed 27 top-ranked mental health apps from Google Play Store. Our methodology enabled us to perform an in-depth privacy analysis of the apps, covering static and dynamic analysis, data sharing behaviour, server-side tests, privacy impact assessment requests, and privacy policy evaluation. Furthermore, we mapped the findings to the LINDDUN threat taxonomy, describing how threats manifest on the studied apps. The findings reveal important data privacy issues such as unnecessary permissions, insecure cryptography implementations, and leaks of personal data and credentials in logs and web requests. There is also a high risk of user profiling as the apps’ development do not provide foolproof mechanisms against linkability, detectability and identifiability. Data sharing among 3rd-parties and advertisers in the current apps’ ecosystem aggravates this situation. Based on the empirical findings of this study, we provide recommendations to be considered by different stakeholders of mHealth apps in general and apps developers in particular. We conclude that while developers ought to be more knowledgeable in considering and addressing privacy issues, users and health professionals can also play a role by demanding privacy-friendly apps. SUPPLEMENTARY INFORMATION: The online version contains supplementary material available at 10.1007/s10664-022-10236-0. Springer US 2022-11-08 2023 /pmc/articles/PMC9643945/ /pubmed/36407814 http://dx.doi.org/10.1007/s10664-022-10236-0 Text en © The Author(s) 2022 https://creativecommons.org/licenses/by/4.0/ Open AccessThis article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ (https://creativecommons.org/licenses/by/4.0/) . |
| spellingShingle | Article Iwaya, Leonardo Horn Babar, M. Ali Rashid, Awais Wijayarathna, Chamila On the privacy of mental health apps: An empirical investigation and its implications for app development |
| title | On the privacy of mental health apps: An empirical investigation and its implications for app development |
| title_full | On the privacy of mental health apps: An empirical investigation and its implications for app development |
| title_fullStr | On the privacy of mental health apps: An empirical investigation and its implications for app development |
| title_full_unstemmed | On the privacy of mental health apps: An empirical investigation and its implications for app development |
| title_short | On the privacy of mental health apps: An empirical investigation and its implications for app development |
| title_sort | on the privacy of mental health apps: an empirical investigation and its implications for app development |
| topic | Article |
| url | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9643945/ https://www.ncbi.nlm.nih.gov/pubmed/36407814 http://dx.doi.org/10.1007/s10664-022-10236-0 |
| work_keys_str_mv | AT iwayaleonardohorn ontheprivacyofmentalhealthappsanempiricalinvestigationanditsimplicationsforappdevelopment AT babarmali ontheprivacyofmentalhealthappsanempiricalinvestigationanditsimplicationsforappdevelopment AT rashidawais ontheprivacyofmentalhealthappsanempiricalinvestigationanditsimplicationsforappdevelopment AT wijayarathnachamila ontheprivacyofmentalhealthappsanempiricalinvestigationanditsimplicationsforappdevelopment |