Executive summary
This study focuses on medical apps in which the user is asked to communicate mainly sensitive details. These details include, for example, health information or login details. Laboratory research conducted by ePrivacy exposes substantial shortcomings. Many providers were unable to fulfil the set standards for privacy protection and data security.
In 80% of the apps, login details could be retrieved by unauthorised third parties
Shortcomings in protection of individual data were identified in many of the medical apps tested. In around 80% of the tested apps, data traffic could be intercepted and, for example, usernames and passwords could be skimmed. About 38% of the apps do not use SSL encryption during online communication. Health information could be intercepted in over half (52%) of the apps. Additionally, in about 54% of the cases, data could not be protected from a so-called “man-in-the-middle” cyber-attack.
Hacking: 7% of the apps fail to sufficiently protect user profiles
In the context of the study, user accounts were created within multiple apps that save confidential health information. Subsequently, attempts were made to obtain profile details through social engineering, without any verification of identity. In around 7% of the cases, information such as login details could be obtained by third parties. In those cases, providers released data to third parties without satisfactory identification.
75% of the apps are vulnerable to manipulation of health information
Lacking data protection can impact users’ health. In nearly 75% of the apps, the ePrivacy laboratory team was able to manipulate sent and received data, allowing them, for example, to falsify readings for blood-sugar levels.
Health information manipulation in almost 95% of the iOS apps
The results for the iOS apps are particularly worrisome: in almost 95% of these, health information could be manipulated within the app’s data traffic.
Lack of privacy statement in over half of the apps
An app’s privacy statement is critically important. It should be readily accessible before a potential log in, informing the user of what will happen with his or her data whenever they use the app. Around 65% of the tested Android apps and around 47% of those for iOS fared poorly in this regard because they do not provide a privacy statement to the user within the application. In total, the privacy statement is missing in 57% of medical apps.
