Back
Technology

Security Vulnerabilities Discovered in Popular Mental Health Mobile Applications

Generated on: Last updated: 1 sources
View source

Security researchers have identified numerous vulnerabilities in several mental health mobile applications available on Google Play, potentially exposing sensitive user data.

The analysis, conducted by mobile security company Oversecured, revealed a total of 1,575 security issues across ten popular apps, which collectively have over 14.7 million downloads.

Key Findings

  • One specific application was found to contain over 85 medium- and high-severity vulnerabilities.
  • The identified issues range from intercepting login credentials and spoofing notifications to HTML injection and locating users.
  • Mental health data carries unique risks, with therapy records reportedly selling for significantly high prices on the dark web.
  • Out of the 1,575 vulnerabilities, 54 were rated high-severity, 538 medium-severity, and 983 low-severity.
  • At least six of the analyzed apps claim user conversations are private or securely encrypted on their servers.

Types of Vulnerabilities Identified

The researchers highlighted several common vulnerability patterns:

  • Inadequate URI Validation: Some apps parse user-supplied URIs without sufficient validation. This could allow attackers to force the app to open internal activities, potentially accessing authentication tokens and session data.

  • Insecure Local Data Storage: Data was stored locally in a manner that granted read access to any other app on the device, potentially exposing therapy entries, CBT session notes, and scores.

  • Plaintext Configuration Data: Backend API endpoints and a hardcoded Firebase database URL were discovered in plaintext within APK resources.

  • Weak Cryptography: Some apps used the cryptographically insecure java.util.Random class for generating session tokens or encryption keys.

  • Lack of Root Detection: Most of the scanned apps did not include root detection mechanisms, making locally stored health data vulnerable on rooted devices.

Scope and Disclosure

The scans were performed between January 22 and 23 on the latest available app versions. While six of the ten apps had no high-severity findings, they still contained medium-severity issues impacting their overall security.

The researchers could not confirm if any of the vulnerabilities have been addressed. The names of the affected applications have not been publicly disclosed.