- Oversecured found 1,500 vulnerabilities across 10 mental health apps with over 14 million downloads
- Exposed therapy transcripts, mood logs, medication charts and other sensitive data
- Therapy records can sell for $1,000+ each; many apps lacked updates, increasing security risks
Some mental health apps actually increase pressure by revealing users’ sensitive medical information, experts have warned.
Security researchers Oversecured recently analyzed 10 mobile mental health apps in the Android ecosystem, cumulatively downloaded more than 14 million times, and found that they contained more than 1,500 vulnerabilities, 54 of which were rated as high.
“These apps collect and store some of the most sensitive personal data on mobile: therapy session transcripts, mood logs, medication charts, self-harm indicators and, in some cases, information protected under HIPAA,” the researchers said in a new report.
Unique risks
The vulnerabilities can be exploited in a variety of ways, but primarily to expose sensitive user data, such as therapy details, cognitive behavioral therapy (CBT) session notes, and various scores.
The issues can also be used to intercept login credentials, spoof messages, inject malicious HTML code, or even locate the user.
Oversecured said that in some cases it discovered configuration data in clear text, including backend API endpoints and hardcoded Firebase database URLs. Some of the apps use the cryptographically insecure java.util.Random class to generate session tokens and encryption keys.
For Sergey Toshin, the founder of Oversecured, mental health data carries “unique risks,” something that cybercriminals seem to be particularly aware of, noting how therapy records sell for $1,000 or more apiece. post, “far more than credit card numbers”.
One thing that could have given these apps away so risky is their update cadence, as only four received an update as recently as this month, while the rest haven’t been updated for months, sometimes years.
To stay safe, it is no longer enough to go for popular apps with lots of downloads and positive reviews. Users should choose apps that are actively supported and receive regular updates.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
