Server-Focused Security Assessment of Mobile Health Apps for Popular Mobile Platforms

Müthing, Jannis; Brüngel, Raphael; Friedrich, Christoph M.

doi:10.2196/jmir.9818

Cited by 22 publications

(15 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The lack of transparency, inadequate efforts to secure users’ consent, and dominance of companies who use these data for the purposes of marketing, suggests that this practice is not for the benefit of the consumer 10. Furthermore, the presence of trackers for advertising and analytics, uses additional data and processing time and could increase the app’s vulnerability to security breaches 25. In their defence, developers often claim that no “personally identifiable” information is collected or shared.…”

Section: Discussionmentioning

confidence: 99%

“…10 Furthermore, the presence of trackers for advertising and analytics, uses additional data and processing time and could increase the app’s vulnerability to security breaches. 25 In their defence, developers often claim that no “personally identifiable” information is collected or shared. However, the network positions of several companies who control the infrastructure in which apps are developed, as well as the data analytics and advertising services, means that users can be easily and uniquely identified, if not by name.…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

Data sharing practices of medicines related apps and the mobile ecosystem: traffic, content, and network analysis

Grundy

Chiu

Held

et al. 2019

BMJ

124

View full text Add to dashboard Cite

ObjectivesTo investigate whether and how user data are shared by top rated medicines related mobile applications (apps) and to characterise privacy risks to app users, both clinicians and consumers.DesignTraffic, content, and network analysis.SettingTop rated medicines related apps for the Android mobile platform available in the Medical store category of Google Play in the United Kingdom, United States, Canada, and Australia.Participants24 of 821 apps identified by an app store crawling program. Included apps pertained to medicines information, dispensing, administration, prescribing, or use, and were interactive.InterventionsLaboratory based traffic analysis of each app downloaded onto a smartphone, simulating real world use with four dummy scripts. The app’s baseline traffic related to 28 different types of user data was observed. To identify privacy leaks, one source of user data was modified and deviations in the resulting traffic observed.Main outcome measuresIdentities and characterisation of entities directly receiving user data from sampled apps. Secondary content analysis of company websites and privacy policies identified data recipients’ main activities; network analysis characterised their data sharing relations.Results19/24 (79%) of sampled apps shared user data. 55 unique entities, owned by 46 parent companies, received or processed app user data, including developers and parent companies (first parties) and service providers (third parties). 18 (33%) provided infrastructure related services such as cloud services. 37 (67%) provided services related to the collection and analysis of user data, including analytics or advertising, suggesting heightened privacy risks. Network analysis revealed that first and third parties received a median of 3 (interquartile range 1-6, range 1-24) unique transmissions of user data. Third parties advertised the ability to share user data with 216 “fourth parties”; within this network (n=237), entities had access to a median of 3 (interquartile range 1-11, range 1-140) unique transmissions of user data. Several companies occupied central positions within the network with the ability to aggregate and re-identify user data.ConclusionsSharing of user data is routine, yet far from transparent. Clinicians should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent. Privacy regulation should emphasise the accountabilities of those who control and process user data. Developers should disclose all data sharing practices and allow users to choose precisely what data are shared and with whom.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Discussionmentioning

confidence: 99%

Data sharing practices of medicines related apps and the mobile ecosystem: traffic, content, and network analysis

Grundy

Chiu

Held

et al. 2019

BMJ

124

View full text Add to dashboard Cite

show abstract

“…Mobile communication and app use in health care settings has led to concerns regarding patient privacy [ 16 ] and information security [ 17 - 19 ]. Prior to release, an internal security audit and IT review were conducted in 5 business days despite this process typically taking much longer in general.…”

Section: Discussionmentioning

confidence: 99%

A Mobile App to Facilitate Socially Distanced Hospital Communication During COVID-19: Implementation Experience

Anyanwu¹,

Ward²,

Shah³

et al. 2021

JMIR Mhealth Uhealth

View full text Add to dashboard Cite

Background COVID-19 has significantly altered health care delivery, requiring clinicians and hospitals to adapt to rapidly changing hospital policies and social distancing guidelines. At our large academic medical center, clinicians reported that existing information on distribution channels, including emails and hospital intranet posts, was inadequate to keep everyone abreast with these changes. To address these challenges, we adapted a mobile app developed in-house to communicate critical changes in hospital policies and enable direct telephonic communication between clinical team members and hospitalized patients, to support social distancing guidelines and remote rounding. Objective This study aimed to describe the unique benefits and challenges of adapting an app developed in-house to facilitate communication and remote rounding during COVID-19. Methods We adapted moblMD, a mobile app available on the iOS and Android platforms. In conjunction with our Hospital Incident Command System, resident advisory council, and health system innovation center, we identified critical, time-sensitive policies for app usage. A shared collaborative document was used to align app-based communication with more traditional communication channels. To minimize synchronization efforts, we particularly focused on high-yield policies, and the time of last review and the corresponding reviewer were noted for each protocol. To facilitate social distancing and remote patient rounding, the app was also populated with a searchable directory of numbers to patient bedside phones and hospital locations. We monitored anonymized user activity from February 1 to July 31, 2020. Results On its first release, 1104 clinicians downloaded moblMD during the observation period, of which 46% (n=508) of downloads occurred within 72 hours of initial release. COVID-19 policies in the app were reviewed most commonly during the first week (801 views). Users made sustained use of hospital phone dialing features, including weekly peaks of 2242 phone number dials, 1874 directory searches, and 277 patient room phone number searches through the last 2 weeks of the observation period. Furthermore, clinicians submitted 56 content- and phone number–related suggestions through moblMD. Conclusions We rapidly developed and deployed a communication-focused mobile app early during COVID-19, which has demonstrated initial and sustained value among clinicians in communicating with in-patients and each other during social distancing. Our internal innovation benefited from our team’s familiarity with institutional structures, short feedback loops, limited security and privacy implications, and a path toward sustainability provided by our innovation center. Challenges in content management were overcome through synchronization efforts and timestamping review. As COVID-19 continues to alter health care delivery, user activity metrics suggest that our solution will remain important in our efforts to continue providing safe and up-to-date clinical care.

show abstract

“…Inspection of the code Static analysis [54], [62], [65], [67], Dynamic code analysis [62], [65], [67], Vulnerability apps [51] [51], [54], [62], [65], [67] Security transport issues tests System for Semiautomatic Tests of Relevant Transport Security Issues [57], BProxy tool and Testssl script and the Qualys SSL Labs test suite [61], technical assessment of encrypted and unencrypted data transmission [55], analysis of the Bluetooth Low Energy protocol traffic [54] [54], [55], [57], [61], [65] Technical implementation evaluation…”

Section: ) Evaluation Objectives and Artefactsmentioning

confidence: 99%

“…Mixed methods: analysis of the privacy policies [63], compliance with Data Protection regulation requirements [62], server location [61] [2], [62], [63], [65], [82] and the moment in the app lifecycle at which the evaluation should happen (level of evaluation). Similarly to the evaluation frameworks, most of the studies that suggested or applied various security and/or privacy evaluation techniques specified target mHealth stakeholders who could benefit or adopt them.…”

Section: Compliance Data Protection Regulations Compliancementioning

confidence: 99%

Security and Privacy of mHealth Applications: A Scoping Review

2020

View full text Add to dashboard Cite

While digital health or mHealth applications (apps) have become accessible resources for the support of personal health, the privacy and security of users' data have been the subject of concern and controversy. As large numbers of mHealth apps are created and are increasingly widely used by people with various health conditions, it is crucial to have clear and valid methods for evaluating the data practices within them. Recent regulatory initiatives such as the European Union's General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) have had the effect of raising awareness and establishing a minimal set of expectations. However, they do not in themselves address the issue of the development of systems which meet privacy and security requirements. There is a growing body of research on evaluation techniques and frameworks to support the assessment of the privacy and security of health apps, and guidelines to support their design. However, it can be challenging to navigate this space and choose appropriate techniques for a given context. Addressing this issue, this paper examines the recent literature on security and privacy of m-Health applications, using a scoping review methodology. It analyses data security and privacy evaluation techniques and frameworks that have been proposed for mHealth applications, as well as relevant research-based design recommendations. This work consolidates recent research on the topic to support researchers, app designers, end users, and healthcare professionals in designing, evaluating, recommending and adopting mHealth applications.

show abstract

Server-Focused Security Assessment of Mobile Health Apps for Popular Mobile Platforms

Cited by 22 publications

References 34 publications

Data sharing practices of medicines related apps and the mobile ecosystem: traffic, content, and network analysis

Data sharing practices of medicines related apps and the mobile ecosystem: traffic, content, and network analysis

A Mobile App to Facilitate Socially Distanced Hospital Communication During COVID-19: Implementation Experience

Security and Privacy of mHealth Applications: A Scoping Review

Contact Info

Product

Resources

About