Return to search

Penetration Testing and PrivacyAssessment of Top-RankedHealth and Fitness Apps : An Empirical Study / Penetrationstestning och Integritetsbedömning av Toppklassade Hälso-och Fitnessappar : En Empirisk Studie

Mobile health applications (mHealth apps), particularly in the health and fitness category, have experienced an increase in popularity due to their convenience and availability. However, this widespread adoption has raised concerns regarding the security and privacy of user data within these apps. This study investigates the security and privacy risks associated with ten top-ranked Android health and fitness apps, a set which accounts for 237 million downloads. By utilizing tools such as MobSF, Qualys SSL, and CLAUDETTE, we performed a static, dynamic, server-side, and privacy policy analysis in order to gain comprehensive insights into the security and privacy posture of the investigated mobile health and fitness apps. The results from the analysis revealed vulnerabilities in coding practices, hardcoded sensitive information, insecure encryption configurations, misconfiguration, and extensive domain communication. For instance, our analysis revealed that all apps stored their database API key directly in the code, with eight apps additionally exposing the database URL. Furthermore, six apps employed insecure encryption methods, such as CBC mode with PKCS5/PKCS7 padding (five apps) and ECB mode (two apps).In total, the apps interacted with 404 distinct domains. Notably, two apps communicated with more than 230 domains each, while a third app connected with over 100 domains. Despite these findings, developers demonstrated improved awareness and proficiency in addressing privacy and security risks compared to previous studies in the field. The study underscores the importance of continuous research to comprehensively understand the security and privacy landscape of health and fitness apps.

Identiferoai:union.ndltd.org:UPSALLA1/oai:DiVA.org:kau-100477
Date January 2024
CreatorsForsberg, Albin
PublisherKarlstads universitet, Institutionen för matematik och datavetenskap (from 2013)
Source SetsDiVA Archive at Upsalla University
LanguageEnglish
Detected LanguageEnglish
TypeStudent thesis, info:eu-repo/semantics/bachelorThesis, text
Formatapplication/pdf
Rightsinfo:eu-repo/semantics/openAccess

Page generated in 0.002 seconds