- Oversecured discovered 1,500 vulnerabilities in 10 mental health apps with over 14 million downloads
- Exposed therapy transcripts, mood diaries, treatment schedules and other sensitive data
- Therapy files can sell for more than $1,000 each; many apps were missing updates, increasing security risks
Some mental health apps actually add to the pressure by exposing users’ sensitive medical information, experts have warned.
Security researchers at Oversecured recently analyzed 10 mobile mental health apps in the Android ecosystem, downloaded in total more than 14 million times, and found that they contained more than 1,500 vulnerabilities, 54 of which were rated as high severity.
“These apps collect and store some of the most sensitive personal data on mobile: therapy session transcripts, mood diaries, treatment schedules, indicators of self-harm, and, in some cases, HIPAA-protected information,” researchers said in a new report.
Unique risks
The vulnerabilities could be exploited in a variety of ways, but primarily to expose sensitive user data, such as therapy details, cognitive behavioral therapy (CBT) session notes, and various scores.
The glitches can also be used to intercept login information, spoof notifications, inject malicious HTML, or even locate the user.
Oversecured said that in some cases they discovered plain-text configuration data, including back-end API endpoints and hard-coded Firebase database URLs. Some applications use the cryptographically insecure java.util.Random class to generate session tokens and encryption keys.
For Sergey Toshin, founder of Overscured, mental health data carries “unique risks,” something cybercriminals seem particularly aware of, noting that therapy records sell for $1,000 or more per record, “much more than credit card numbers.”
One thing that could have made these apps seem risky is their update cadence, since only four received an update as recently as this month, while the rest haven’t been updated in months, sometimes years.
To stay safe, it’s no longer enough to opt for popular apps with lots of downloads and positive reviews. Users should choose actively supported apps and receive regular updates.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
