- Oversecured found 1,500 vulnerabilities in 10 mental health apps with more than 14 million downloads
- Exposed therapy transcripts, mood logs, medication schedules, and other sensitive data
- Therapy records can sell for more than $1,000 each; many apps lacked updates, increasing security risks
Some mental health apps are actually adding to the pressure by exposing users' sensitive medical information, experts have warned.
Security researchers Oversecured recently analyzed 10 mental health mobile apps in the Android ecosystem, cumulatively downloaded more than 14 million times, and found that they contained more than 1,500 vulnerabilities, of which 54 were considered high severity.
“These apps collect and store some of the most sensitive personal data on mobile devices: therapy session transcripts, mood logs, medication schedules, self-harm indicators, and, in some cases, HIPAA-protected information,” the researchers said in a new report.
Unique risks
The vulnerabilities could be abused in several ways, but primarily to expose sensitive user data such as therapy details, cognitive behavioral therapy (CBT) session notes, and various scores.
The issues can also be used to intercept login credentials, spoof notifications, inject malicious HTML code, or even locate the user.
Oversecured said that in some cases they discovered configuration data in plain text, including backend API endpoints and hardcoded Firebase database URLs. Some of the applications use the cryptographically insecure java.util.Random class to generate session tokens and encryption keys.
For Sergey Toshin, founder of Oversecured, mental health data carries “unique risks,” something cybercriminals seem especially aware of, noting how therapy records sell for $1,000 or more per record, “far more than credit card numbers.”
One thing that might have revealed these apps to be risky is their update cadence, with only four receiving an update as recently as this month, while the rest haven't been updated in months, sometimes years.
To stay safe, it is no longer enough to opt for popular apps with many downloads and positive reviews. Users should choose apps that are actively supported and receive regular updates.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
