Mental health is an extremely important subject, especially in these unprecedented times of the COVID-19 pandemic. Ubiquitous mobile phones can equip users to supplement psychiatric treatment and manage their mental health. Mobile Mental Health (MMH) apps emerge as an effective alternative to assist with a broad range of psychological disorders filling the much-needed patient-provider accessibility gap. However, it also raises significant concerns with sensitive information leakage.The absence of a transparent privacy policy and lack of user awareness may pose a significant threat to undermining the applicability of such tools. We conducted a multifold study of - 1) Privacy Policies (Manually and with Polisis, an automated framework to evaluate privacy policies); 2) App permissions; 3) Static Analysis for inherent security issues; 4) Dynamic Analysis for threat surface and vulnerabilities detection, and 5) Traffic Analysis. Our results indicate that apps' exploitable flaws, dangerous permissions, and insecure data handling pose a potential threat to the users' privacy and security. The Dynamic analysis identified 145 vulnerabilities in 20 top-rated MMH apps where attackers and malicious apps can access sensitive information. 45% of MMH apps use a unique identifier, Hardware Id, which can link a unique id to a particular user and probe users' mental health. Traffic analysis shows that sensitive mental health data can be leaked through insecure data transmission. MMH apps need better scrutiny and regulation for more widespread usage to meet the increasing need for mental health care without being intrusive to the already vulnerable population.
翻译:特别是在COVID-19大流行的这一史无前例的时代,精神卫生是一个极为重要的主题,特别是在这种流行病COVID-19流行的时代,普遍移动电话可以使用户有能力补充精神病治疗和管理其精神健康。移动精神卫生应用软件是协助处理各种心理紊乱的有效替代办法,填补了急需的病人-提供者无障碍差距。然而,它也引起了对敏感信息泄漏的极大关注。缺乏透明的隐私政策和用户认识的缺乏可能会对削弱这类工具的适用性构成重大威胁。我们开展了一项多重研究:(1)隐私政策(手法和与Polis一起,一个评估隐私政策的自动化框架);(2)应用程序许可;(3)对内在安全问题进行静态分析;(4)对威胁表面和脆弱性的检测进行动态分析,以及(5)交通分析。我们的结果表明,对可被利用的缺陷、危险许可和不安全的数据处理对用户的隐私和安全构成潜在威胁。我们进行了一项动态分析,查明20种最高等级MMH应用程序中的145个弱点,攻击者和恶意应用者可以在那里获得敏感信息。45%的MH应用程序使用一种独特的、对敏感性、对敏感性用户进行精确性分析,这需要一种独特的硬性分析,使用户能够通过一种更精确的系统进行一种更好的数据,从而通过一种独特的系统对敏感性数据进行更精确的系统进行更好的数据传输。