how safe are mhealth apps?

Post on 12-Apr-2017

318 Views

Category:

Health & Medicine

1 Downloads

Preview:

Click to see full reader

TRANSCRIPT

BCS Health Informatics Scotland 2015

How Safe are mHealth Apps?

Maria Wolters1, Konstantin Knorr2, David Aspinall1, Kami Vaniea1

1 University of Edinburgh

2 University of Applied Sciences, Trier

Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015

That Finding Was Not a Surprise

❖ BBC report: Huckvale et al, BMC Medicine 2015 13:214 focus on apps included in the NHS app library, all conditions and purposes

❖ Knorr/Aspinall/Wolters (2015): On the Privacy, Security, and Safety of Blood Pressure and Diabetes Apps. in: Proc. IFIP focus on Android apps for monitoring blood pressure and blood glucose

Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015

Focus of this talk

❖ Knorr/Aspinall/Wolters (2015): On the Privacy, Security, and Safety of Blood Pressure and Diabetes Apps. in: Proc. IFIP Android apps for monitoring blood pressure and blood glucose, no prior vetting

Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015

Why Does It Matter?

❖ Some apps ask for personal identifying information, such as age / gender, or store location

❖ Some people would rather not want the world and their insurance company to know that their blood glucose levels are very high

❖ Some topics are sensitive (smoking, alcohol, mood, …)

Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015

Why Diabetes and Hypertension?❖ Highly prevalent in population

❖ Successful telehealthcare applications (cf. TeleScot results, McKinstry et al BMJ 2013; 346)

❖ Easily tracked by single key parameter (blood pressure / blood glucose)

❖ Require regular monitoring

❖ Apps can provide useful feedback to patient

❖ Data can be exported to health care provider

Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015

The Apps

❖ English or German user interface

❖ can be tested on Nexus 7, Android 4.4.2 (tests in late 2014)

❖ over 10,000 (free) / 1,000 (paid) downloads

❖ n=157

Database

FileSystem

Nexus 7

App Stores

Select, buy,download Apps

Extract APKs

Retrieve Meta Datalike Price, URL of Privacy Policy,Number of Downloads

Vendors WebSite

(B) Dynamic Analysis

(A) Static Analysis

RetrievePrivacyPolicies

(D) Analysis ofPrivacy Policy

APKs

Privacy Policies

GenerateStatistics

Statisticsand Findings

Save results ofTesting in Databaseand File System

Web Server

(C) Web ServerSecurity

App Store

Database

FileSystem

Nexus 7

App Stores

Select, buy,download Apps

Extract APKs

Retrieve Meta Datalike Price, URL of Privacy Policy,Number of Downloads

Vendors WebSite

(B) Dynamic Analysis

(A) Static Analysis

RetrievePrivacyPolicies

(D) Analysis ofPrivacy Policy

APKs

Privacy Policies

GenerateStatistics

Statisticsand Findings

Save results ofTesting in Databaseand File System

Web Server

(C) Web ServerSecurity

App Store

all apps

Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015

Key Results - Static Analysis❖ Many free apps use advertising add ons that pose massive privacy risks

❖ 6 apps were still debuggable

❖ 15 of 126 apps with Internet access permission were vulnerable to man in the middle attacks

Database

FileSystem

Nexus 7

App Stores

Select, buy,download Apps

Extract APKs

Retrieve Meta Datalike Price, URL of Privacy Policy,Number of Downloads

Vendors WebSite

(B) Dynamic Analysis

(A) Static Analysis

RetrievePrivacyPolicies

(D) Analysis ofPrivacy Policy

APKs

Privacy Policies

GenerateStatistics

Statisticsand Findings

Save results ofTesting in Databaseand File System

Web Server

(C) Web ServerSecurity

App Store

n=72

Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015

Key Results - Dynamic Analysis

❖ If somebody has your phone, they have your data - most apps do not encrypt

❖ Of 49 apps that export to SD card, only 1 encrypts; some do not include SD card in data wipe

❖ No provision for sending data and reports to carers and health care professionals in encrypted emails / encrypted PDFs

Database

FileSystem

Nexus 7

App Stores

Select, buy,download Apps

Extract APKs

Retrieve Meta Datalike Price, URL of Privacy Policy,Number of Downloads

Vendors WebSite

(B) Dynamic Analysis

(A) Static Analysis

RetrievePrivacyPolicies

(D) Analysis ofPrivacy Policy

APKs

Privacy Policies

GenerateStatistics

Statisticsand Findings

Save results ofTesting in Databaseand File System

Web Server

(C) Web ServerSecurity

App Store

n=20 had dedicated web server

Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015

Key Results - Web Analysis

Database

FileSystem

Nexus 7

App Stores

Select, buy,download Apps

Extract APKs

Retrieve Meta Datalike Price, URL of Privacy Policy,Number of Downloads

Vendors WebSite

(B) Dynamic Analysis

(A) Static Analysis

RetrievePrivacyPolicies

(D) Analysis ofPrivacy Policy

APKs

Privacy Policies

GenerateStatistics

Statisticsand Findings

Save results ofTesting in Databaseand File System

Web Server

(C) Web ServerSecurity

App Store

only 19% had one

Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015

Caveats

❖ Apps are ubiquitous, free apps are particularly tempting - but your medical data is the commodity

❖ Apps are not (expensive) medical devices that have to undergo rigorous testing

❖ If your phone is stolen and hacked, your data is unprotected

Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015

What Now?❖ Support developers in best practice

❖ Create meaningful accreditation

❖ Educate patients

❖ … - over to you!

❖ Contact: Maria Wolters maria.wolters@ed.ac.uk @mariawolters

top related