These are the slides for a presentation I gave at the Health Informatics Scotland on October 7, 2015 - summarizing joint work with Konstantin Knorr, David Aspinall, and Kami Vaniea on security and privacy in health apps (or lack thereof).
Russian Call Girls in Pune Tanvi 9907093804 Short 1500 Night 6000 Best call g...
How Safe are mHealth Apps?
1. BCS Health Informatics Scotland 2015
How Safe are
mHealth Apps?
Maria Wolters1
, Konstantin
Knorr2
, David Aspinall1
,
Kami Vaniea1
1 University of Edinburgh
2 University of Applied Sciences, Trier
2.
3. Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015
That Finding Was Not a Surprise
❖ BBC report: Huckvale et al, BMC Medicine 2015 13:214
focus on apps included in the NHS app library, all
conditions and purposes
❖ Knorr/Aspinall/Wolters (2015): On the Privacy, Security, and
Safety of Blood Pressure and Diabetes Apps. in: Proc. IFIP
focus on Android apps for monitoring blood pressure
and blood glucose
4. Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015
Focus of this talk
❖ Knorr/Aspinall/Wolters (2015): On the Privacy, Security, and
Safety of Blood Pressure and Diabetes Apps. in: Proc. IFIP
Android apps for monitoring blood pressure and
blood glucose, no prior vetting
5. Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015
Why Does It Matter?
❖ Some apps ask for personal identifying information,
such as age / gender, or store location
❖ Some people would rather not want the world and their
insurance company to know that their blood glucose
levels are very high
❖ Some topics are sensitive (smoking, alcohol, mood, …)
6. Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015
Why Diabetes and Hypertension?
❖ Highly prevalent in population
❖ Successful telehealthcare applications
(cf. TeleScot results, McKinstry et al BMJ 2013; 346)
❖ Easily tracked by single key parameter
(blood pressure / blood glucose)
❖ Require regular monitoring
❖ Apps can provide useful feedback to patient
❖ Data can be exported to health care provider
7. Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015
The Apps
❖ English or German user interface
❖ can be tested on Nexus 7, Android 4.4.2 (tests in late
2014)
❖ over 10,000 (free) / 1,000 (paid) downloads
❖ n=157
8. Database
File
System
Nexus 7
App Stores
Select, buy,
download Apps
Extract APKs
Retrieve Meta Data
like Price, URL of Privacy Policy,
Number of Downloads
Vendors WebSite
(B) Dynamic Analysis
(A) Static Analysis
Retrieve
Privacy
Policies
(D) Analysis of
Privacy Policy
APKs
Privacy Policies
Generate
Statistics
Statistics
and Findings
Save results of
Testing in Database
and File System
Web Server
(C) Web Server
Security
App Store
9. Database
File
System
Nexus 7
App Stores
Select, buy,
download Apps
Extract APKs
Retrieve Meta Data
like Price, URL of Privacy Policy,
Number of Downloads
Vendors WebSite
(B) Dynamic Analysis
(A) Static Analysis
Retrieve
Privacy
Policies
(D) Analysis of
Privacy Policy
APKs
Privacy Policies
Generate
Statistics
Statistics
and Findings
Save results of
Testing in Database
and File System
Web Server
(C) Web Server
Security
App Store
all apps
10. Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015
Key Results - Static Analysis
❖ Many free apps use advertising add ons that pose massive privacy risks
❖ 6 apps were still debuggable
❖ 15 of 126 apps with Internet access permission were vulnerable to man
in the middle attacks
11. Database
File
System
Nexus 7
App Stores
Select, buy,
download Apps
Extract APKs
Retrieve Meta Data
like Price, URL of Privacy Policy,
Number of Downloads
Vendors WebSite
(B) Dynamic Analysis
(A) Static Analysis
Retrieve
Privacy
Policies
(D) Analysis of
Privacy Policy
APKs
Privacy Policies
Generate
Statistics
Statistics
and Findings
Save results of
Testing in Database
and File System
Web Server
(C) Web Server
Security
App Store
n=72
12. Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015
Key Results - Dynamic Analysis
❖ If somebody has your phone, they have your data -
most apps do not encrypt
❖ Of 49 apps that export to SD card, only 1 encrypts; some
do not include SD card in data wipe
❖ No provision for sending data and reports to carers and
health care professionals in encrypted emails /
encrypted PDFs
13. Database
File
System
Nexus 7
App Stores
Select, buy,
download Apps
Extract APKs
Retrieve Meta Data
like Price, URL of Privacy Policy,
Number of Downloads
Vendors WebSite
(B) Dynamic Analysis
(A) Static Analysis
Retrieve
Privacy
Policies
(D) Analysis of
Privacy Policy
APKs
Privacy Policies
Generate
Statistics
Statistics
and Findings
Save results of
Testing in Database
and File System
Web Server
(C) Web Server
Security
App Store
n=20 had dedicated web server
15. Database
File
System
Nexus 7
App Stores
Select, buy,
download Apps
Extract APKs
Retrieve Meta Data
like Price, URL of Privacy Policy,
Number of Downloads
Vendors WebSite
(B) Dynamic Analysis
(A) Static Analysis
Retrieve
Privacy
Policies
(D) Analysis of
Privacy Policy
APKs
Privacy Policies
Generate
Statistics
Statistics
and Findings
Save results of
Testing in Database
and File System
Web Server
(C) Web Server
Security
App Store
only 19%
had one
16. Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015
Caveats
❖ Apps are ubiquitous, free apps are particularly tempting
- but your medical data is the commodity
❖ Apps are not (expensive) medical devices that have to
undergo rigorous testing
❖ If your phone is stolen and hacked, your data is
unprotected
17. Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015
What Now?
❖ Support developers in best practice
❖ Create meaningful accreditation
❖ Educate patients
❖ … - over to you!
❖ Contact: Maria Wolters maria.wolters@ed.ac.uk @mariawolters