A large-scale investigation of mobile health apps available in Australia and worldwide suggests that many contain serious privacy issues, with hundreds transmitting user information to third-party service providers.
Researchers at Macquarie University's Department of Computing analysed over 20,000 health apps for Android in Google Play and say patients should be informed about privacy practices before use and installation.
"Our results show that the collection of personal user information is a pervasive practice in 'mHealth' apps, and not always transparent and secure," the researchers wrote.
Since neither Google Play nor the Apple App Store provide privacy auditing functionality, clinicians should check health apps' functionality and articulate that to patients in simple terms.
This includes checking the permissions that health apps request such as accessing sensitive areas of the phone like location data, cameras and microphones.
Clinicians should review health apps' privacy policies and practices as well, the researchers recommended.
However, the researchers also discovered that over 28 percent of the apps in their sample provided no privacy policies.
Google and Apple should examine privacy statements made by developers before their apps become available in the stores, the researchers said.
"Through a vetting process, mobile app marketplaces should ensure that a valid and meaningful privacy policy document is always provided, unlike the current situation, where we observed that the links to privacy policy pages accessible from Google Play were often broken or led to empty webpages," they said.
Even when privacy policies were declared, the researchers found that around half of the apps were not compliant with what was stated.
User data collection was also a concern.
A total of 15,838 health apps in Google's Play store were analysed in detail, with their privacy practices compared to a random sample of over 8000 non-health programs.
The results of the investigation showed that almost nine out of ten health apps contained code that could potentially collect user data.
Of the apps investigated, automated testing found that 616 or 3.9 percent collected data and transmitted user information to third-party external service providers, the researchers found.
Sensitive data that could be used to uniquely identify users included multiple immutable device identifiers, and GPS-determined user and cell tower location data which - in almost a quarter of the sample - was sent over insecure communications protocols.
Apps may also collect user contact information, app cookies and other information that the researchers said was sent to 665 third party entities in total.
Google was the most prominent third party data collection service, the researchers noted.