Mental health apps may have flaws
Various mental health mobile applications with over millions of downloads on Google Play have security flaws that could leak users’ personal medical data.
Researchers found over 85 medium and high-severity vulnerabilities in one of the apps that can be abused to hack users' therapy data and privacy.
Few products are AI companions built to help people having anxiety, clinical depression, bipolar disorder and stress.
Six of the ten studied applications said that user chats are private and encoded safely on the vendor's servers.
Oversecured CEO Sergey Toshin said that “Mental health data carries unique risks. On the dark web, therapy records sell for $1,000 or more per record, far more than credit card numbers.”
More than 1500 security vulnerabilities reported
Experts scanned ten mobile applications promoted as tools that help with mental health issues, and found 1,575 security flaws: 938 low-severity, 538 medium-severity, and 54 rated high-severity.
No critical issues were found, a few can be leveraged to hack login credentials, HTML injection, locate the user, or spoof notifications.
Experts used the Oversecured scanner to analyse the APK files of the mental health apps for known flaw patterns in different categories.
Using Intent.parseUri() on an externally controlled string, one treatment app with over a million downloads launches the generated messaging object (intent) without verifying the target component.
This makes it possible for an attacker to compel the application to launch any internal activity, even if it isn't meant for external access.
Oversecured said, “Since these internal activities often handle authentication tokens and session data, exploitation could give an attacker access to a user’s therapy records.”
Another problem is storing data locally that gives read access to all apps on the device. This can expose therapy details, depending on the saved data. Therapy details such as Cognitive Behavioural Therapy (CBT), session notes, therapy entries. Experts found plaintext configuration data and backend API endpoints inside the APK resources.
“These apps collect and store some of the most sensitive personal data in mobile: therapy session transcripts, mood logs, medication schedules, self-harm indicators, and in some cases, information protected under HIPAA,” Oversecured said.
