Analyzing privacy risks of mHealthapplications

Alexander Mense, Philipp Urbauer, Harald Wahl, Stefan Sauermann

© FH Technikum Wien 2

Agenda

• Motivation

• Analyzing health apps

• Results

• Discussion

© FH Technikum Wien 3

Motivation

• eHealth Team of University of Applied Sciences TechnikumWien has been working in the area of connecting Medical Devices / Personal Health Devices (PHD) since 2007– Main focus on interoperability using international standards

Medical Device

Personal Health Device

Monitoring Device

Web Portal

11073 Archiv

Statistik

Daten Extraktor

Hospital

Service

Electronic Health Record

Personal Health Record

Number of mobile applications (apps) is tremendously growing

165,000 health & medical apps now on the market

Additional gadgets of personal health devices and rising number of wearables

© FH Technikum Wien 4

http://www.imedicalapps.com/2015/09/ims-health-apps-report/#

samsung.com

„Professional“ Use

Use of mobile health apps in professional careenvironments

– e.g. Telemonitoring Architecture Austria

© FH Technikum Wien 5

Security & Privacy

Dealing with sensitive data implies privacy requirements – privacy implies security requirements

Well known, that many health apps cause security and privacy problems (even “officially” endorsed e.g. from “NHS England's Health Apps Library”)– Conceptional weaknesses of mobile OS

– Bad programming of apps

– Insecure data transmission

– Unknown data usage by developing company

– Data usage by third parties (analytics & advertising)

– …

© FH Technikum Wien 6

General Objective

Test environment and generic procedures for evaluation of security and privacy aspects of specific mHealth apps and solutions

Can be used …

– … as part of an overall evaluation process

– … as input to a risk analysis for mHealth applications

– … for educational purposes

© FH Technikum Wien 7

Analyzing Health Apps

© FH Technikum Wien 8

General architecture

© FH Technikum Wien 9

Embedded application

Mobile application

Backend application

transmissiontransmission

Analyzing health apps 1/4

Testing categories

– Static analysis

Analyzing source code

– Dynamic analysis

mobile app is executed in a simulation environment to examine runtime behavior, access to local services and storage as well as interaction with the remote services

© FH Technikum Wien 10

Analyzing health apps 2/4

Data classification– Generic data

Device Identifiers

Location

Contact information

Others like pictures, SMS, chat, …

– Health app specific data Personal Identifiers

Personal health information collected, maintained and transmitted to services in the internet over public lines

E.g. body measures, fitness & activity data, medication list, vaccinations, personal health device measurements

© FH Technikum Wien 11

Analyzing health apps 3/4

Generic Mobile Application Security Risks

– Majority of mobile applications are actually client-server applications

mobile device app is used to collect data, provide specific application functionalities and data visualization

storage and another part of application functions are handled by software running on a “developer-controlled” server

– Use of generic risk models such as Open Web Application Security Project (OWASP) top 10 risks for mobile applications

© FH Technikum Wien 12

Analyzing health apps 4/4

Additional Privacy Risks

– Unintended app functionalities such as behavioral tracking or user specific advertising are not covered by generic frameworks like OWASP

– Data provided to third party “analytics” or advertising services

© FH Technikum Wien 13

Evaluating security & privacy of connectivity and data transfer

Main focus of the first step was on analysis of data transmission over network

– Use of encrypted traffic

– Possible interception of encrypted communication

– Where is information sent to (developer owned vs. third party servers)

– Which information is transmitted to whom

© FH Technikum Wien 14

Test architecture

Android emulator in a virtual environment

WiFi-Pinapple as WiFi access point and traffic interceptor for non-HTTP traffic

Fiddler proxy server for MitM (also SSL interception)

© FH Technikum Wien 15

Results

© FH Technikum Wien 16

Mobile health Apps evaluation

Set of selected free mobile applications from “health and fitness” category has been tested

– personal health record, self-management, calorie counter and diet plan, healthy living and health promotion (activity and fitness tracker, workout and sports) and medication management

© FH Technikum Wien 17

Mobile health Apps evaluation

All applications use encrypted communication

All encrypted communication can be intercepted

No appropriate certificates checks and certificate pinning

No end to end security

© FH Technikum Wien 18

www

Encrypted tunnelEncrypted tunnel

Encrypted tunnel

Proxy generated certificate Server

certificate

Proxy

Mobile health Apps evaluation

80% of the analyzed free mobile applications contact third-party websites for advertising and analytics

– e.g. admob.com, appsflyer.com, flurry.com, fiksu.com, google-analytics.com, localytics.com, kiip.me, rubiconproject.com, crashlytics.com, newrelic.com, …

– Data is sent during startup, in background mode, during operation, …

– One application even sends health data unencrypted to third party

© FH Technikum Wien 19

Data sent

Device IDs / linked to user ID

Contact information

User data / location data to third party

© FH Technikum Wien 20

Discussion

© FH Technikum Wien 21

Third party websites … … data is the new gold

„ … is the market leader in mobile advertising attribution & analytics, helping marketers to pinpoint their targeting, optimize their ad spend and boost their ROI”

“Big Data Means Big Insights”

„ Integrate Analytics in five minutes to get basic insights into your users and app performance, or set up advanced analysis of complex events to get a deep understanding of everything your users are doing …

“Understand Demographics (Even if you Don't Track Them)”

© FH Technikum Wien 22

Use of device ID

Tracking users and data correlation

© FH Technikum Wien 23

analytics

App 1

App 2

App n

User 1

App 1

App 2

App n

User 2

Device ID + Application ID +data

IDs + data

IDs + data Device ID + Application ID +data

Data server location

Most of the servers are located in the US (i.e. outside Europe)

– appsflyer .com – US, google-analytics.com – US, kiip.me – US, rubiconproject.com – US, …

© FH Technikum Wien 24

(localytics.com)

Privacy Policies

Huckvale et al did similar work and also evaluated the privacy policies of the apps

There are apps that even do not have privacy policies

Most apps do not handle data according to their privacy policy

Policies are often quite large and complex documents and users mostly care for them as little as for the rights an app asks for

Most people do not know what happens with their data

© FH Technikum Wien 25

Future Work

Refining automatic analysis of transmitted data

Continue work on client & server side (often cloud)

Development of a risk model

Development of a “trust” indicator regarding security and privacy of health apps

“Best practise” rules

© FH Technikum Wien 26

“If you’re not paying for the product, you are the product.”

© FH Technikum Wien 27

Thank you for your attention

© FH Technikum Wien 28

mense@technikum-wien.at