The study indicated that the privacy of accredited apps users may have been put at risk unnecessarily.
Advertisement
The researchers used a form of hack known as a “man-in-the-middle attack” to capture the data sent by an app over the internet.
One such program is Britain’s National Health Service (NHS) health apps library, which is a curated list of apps for patient and public use.
Mr Huckvale added that the NHS needed to work harder on testing because of how apps were likely to be used in the future.
Several smartphone health apps backed by the NHS could be putting users’ privacy at risk, according to a study by Imperial College London (PDF link).
A spokesperson for NHS Choices said: “We were made aware of some issues with some of the featured apps and took action to either remove them or contact the developers to insist they were updated”.
While this was not something new, since some phones cannot afford to store too much data in their small storage units, 23 of those apps were sending this data via an unencrypted communications channel.
“This interception might occur at a local level in an Internet café or at a higher-level in more sophisticated scenarios”.
But, more worryingly, the paper claims that “A failure to implement appropriate technical safeguards of personal information does not only imply a failure of accreditation, it may also represent a violation of data protection law in the United Kingdom”.
Chris Smith, vice president at Privitar, told SCMagazineUK.com that it is vital that personal data is treated with the utmost respect and security.
While more than half of the apps had a privacy policy, this was often vaguely worded and did not let people know what types of data were being shared. Could some of the new health apps be endangering your privacy?
“[This] raises concerns about that about potential risks to users and questions the ability of accreditation processes relying substantially on developer self-certification to ensure adherence to data protection principles”.
Kit Huckvale, a Ph.D. student at the Imperial College London and co-author of the study, stressed that if these apps were ordinary health apps, they would not have been surprised with these findings.
Paul Dignan, technical account manager at F5 Networks, told South Carolina that where data was sent in the clear that meant that information will be readable at any point in the transit chain between client and server.
How secure is your health data? “No app collected or transmitted information that a policy explicitly stated it would not; however, 78 percent of information-transmitting apps with a policy did not describe the nature of personal information included in transmissions”.
Advertisement
NHS Choices claims all of the apps that appear in its library have been reviewed and found to be clinically safe, but are not formally “accredited” or “endorsed”.
