What's this?

Research Project

Mobile health applications (apps) are a booming market in Australia and may be increasingly integrated into health services, workplaces, and insurance programs. Health app developers routinely share consumer data with multiple third parties including advertisers, data aggregators, and commercial partners as part of their business model. There is little transparency around third-party data sharing and health apps routinely fail to provide privacy assurances, yet request multiple forms of personal information.

There are also security concerns related to health-related apps. One study of health apps endorsed by the UK National Health Service found that the majority transmitted information to online services, but two thirds of sampled apps transmitted data in an unencrypted format.

Apps providing medicines-related information and services may be particularly vulnerable to privacy and security threats. Medicines-related apps that target health professionals are of particular interest to pharmaceutical companies, which can offer tailored advertising and glean insights into prescribing habits. Apps targeting consumers can deliver a detailed account of a patient's health history, which could put consumers at risk for employment, insurance or education-related discrimination. The goal of this project is to identify systemic privacy and security risks to consumers and health professionals that arise through the use of medicines-related apps.

We present the findings of this project in a research paper:
"Data sharing practices of medicines related apps and the mobile ecosystem: traffic, content, and network analysis"
[PDF]

Disclosure and Developer Responses

We have been contacted by Ada Health GmbH, the developer of the Ada-Your Health Companion application. This study sets out our findings based on a detailed analysis of the data sharing practices of a number of mobile health applications. For the avoidance of doubt, it is not suggested (unless otherwise indicated) that individual applications share personal data (as defined in the General Data Protection Regulation) for commercial purposes. Ada Health has explained that its application does not share personal data with third parties for commercial use and that Ada Health hosts personal data within their private space with infrastructure providers, such as Amazon Web Services and Microsoft Azure, and certain analytics providers,in order to assist with the technical functioning of the application.

As part of our research project, we conducted a security analysis of the sampled apps. We elected to advise four developers of vulnerabilities detected in their apps related to insecure login or storage. We considered other security features, such as (lack of) end-to-end encryption, as non critical best practices, thus not requiring official disclosure. As these vulnerabilities represent a risk to consumers, we planned to publish our analyses within 90 days of issuing the advisories, however, wished to give the developers the opportunity to address these vulnerabilities.

We wish to acknowledge the efforts of the following developers in providing a fix and informing consumers that updates of these apps have been issued:

  • MIMS for Android (MIMS Australia): Updated August 2018, see v2.0.11.
  • Med Helper Pro Pill Reminder (Manyeta): Updated July 2018, see v2.8.9.
  • ListMeds Free (Fourth Career Solutions): Updated March 2019.
  • My PillBox(Meds&Pill Reminder) (Master B): No longer available in the Google Play Store.

People

Dataset

We purposefully sampled medicines-related apps that were considered prominent in terms of being highly downloaded, rated in the top 100, or endorsed by credible organizations. We triangulated a number of sampling strategies to identify apps:

  • Using a crawling program, we systematically sampled the top 100 listed free and paid apps in the Medical store category of the Australian, Canadian, United States and United Kingdom Google play stores on a weekly basis for one month (October 17, 2017 to November 17, 2017). One investigator screened these 800 apps for any app names that appeared to be medicines-related. The list of medicines-related app names were then screened independently by two investigators according to the inclusion/exclusion criteria, using the information in the app store descriptions.
  • We examined the websites of health professional associations, medicines-related not- for-profit organizations (NPS MedicineWise), curated app libraries (iMedicalApps, myhealthapps.net), app reviews in the scientific literature, and polled our networks of practicing pharmacists and sampled any recommended or endorsed apps.
After assembling a list of prominent, medicines-related apps, we screened eligible apps according to the following inclusion criteria:
  • Pertains to medicines such as managing medication lists, reminders, medicines or prescribing information.
  • Available for the Android platform in Google Play.
  • The app requested at least one dangerous permission, as defined by Google Play, or claim to collect or share personal data.
  • The app had some degree of interactivity with the user (i.e. had functionality beyond providing information such as scheduling, reminders, personalized content, social functions).
Apps were excluded if:
  • They pertained exclusively to a single company (i.e. pharmacy, insurance plan or electronic health record).
  • Were restricted to use in a single country.

Sources of Private Information

List of the sources of private information that we tracked during out study. While some of them clearly regard consumers private data, other may seem irrelevant from a privacy perspective. However, when combined such information can reveal users characteristics and can be used to identify them.

android_id
Unique ID to each Android device. For instance, it is used to identify devices for market downloads.
birthday
User birthday.
browsing
App-related activity performed by the user (e.g., view pharmacies, search for medicines).
carrier
Mobile network operator, provider of network communications services (e.g., Vodafone).
connection_type
Cellular data or WiFi.
country
Country in which the device is located (e.g., Australia).
course-grain-location
Non precise location. Usually tells only the city in which the device is located (e.g., Sydney).
device_id
IMEI code of the device.
device_name
Name of the device (e.g., Google Pixel).
doctor-name
Information about the user's doctor (e.g., name).
doses
Medicines doses (100 mg Aspirin per day).
e-mail
User E-mail address.
feelings
User current feelings (e.g., happy, sad).
gender
User gender.
name & lastname
User name and lastname.
med-conditions
User medical conditions (e.g., past diseases).
meds-instruction
Instructions on how to take medicines (e.g., after dinner, in the morning).
meds-list
List of (prescripted) medicines taken by the user.
meds-schedule
Times for medicined (e.g., 8.00 PM Aspirin).
os_version
Device Android version.
personal-conditions
User personal conditions (e.g., smoker, pregnant).
personal-factors
User personal factors (e.g., height, weight, blood pressure, blood type).
pharmacy-name
Information about the user favorite pharmacies (e.g., name).
symptoms
User symptoms (e.g., headache).
timezone
Timezone in which the device is located (e.g., GMT+11).