Mobile health applications (mHealth apps), particularly in the health and fitness category, have experienced an increase in popularity due to their convenience and availability. However, this widespread adoption has raised concerns regarding the security and privacy of user data within these apps. This study investigates the security and privacy risks associated with ten top-ranked Android health and fitness apps, a set which accounts for 237 million downloads. By utilizing tools such as MobSF, Qualys SSL, and CLAUDETTE, we performed a static, dynamic, server-side, and privacy policy analysis in order to gain comprehensive insights into the security and privacy posture of the investigated mobile health and fitness apps. The results from the analysis revealed vulnerabilities in coding practices, hardcoded sensitive information, insecure encryption configurations, misconfiguration, and extensive domain communication. For instance, our analysis revealed that all apps stored their database API key directly in the code, with eight apps additionally exposing the database URL. Furthermore, six apps employed insecure encryption methods, such as CBC mode with PKCS5/PKCS7 padding (five apps) and ECB mode (two apps).In total, the apps interacted with 404 distinct domains. Notably, two apps communicated with more than 230 domains each, while a third app connected with over 100 domains. Despite these findings, developers demonstrated improved awareness and proficiency in addressing privacy and security risks compared to previous studies in the field. The study underscores the importance of continuous research to comprehensively understand the security and privacy landscape of health and fitness apps.
Identifer | oai:union.ndltd.org:UPSALLA1/oai:DiVA.org:kau-100477 |
Date | January 2024 |
Creators | Forsberg, Albin |
Publisher | Karlstads universitet, Institutionen för matematik och datavetenskap (from 2013) |
Source Sets | DiVA Archive at Upsalla University |
Language | English |
Detected Language | English |
Type | Student thesis, info:eu-repo/semantics/bachelorThesis, text |
Format | application/pdf |
Rights | info:eu-repo/semantics/openAccess |
Page generated in 0.002 seconds