Saturday, 1 May 2021

Health and quasi-medical apps are data harvesting

Over 100 free and paid Health and quasi-medical apps on the Apple App Store were analysed for their data-harvesting. For the most part, they collect way more data than they need to do the job. These included health, fitness, fertility, diet, sleep, yoga, and cycling apps.

Now it is not just Apple – Google Play also has many of these apps. The research is particularly timely in light of Apple’s iOS update that requires you to give permissions on an app-by-app basis.

It focused on the privacy policies of each app. Paid apps were preferred as there are many more backdoors in free or freemium ones.

Here is a general warning about Health and quasi-medical apps.

What permissions to grant? As few as possible. For example, why would Fitbit (now owned by Google) and GoogleFit be two of the most intrusive health apps when all you may use it for is a pedometer? Why does Down Dog need to know so much when it is a yoga instruction app? Diet apps are also among the most intrusive.

Any paid app that requires you to create an account and sign-in will, at a minimum, have

  • Name
  • Email
  • Phone
  • Address (it already has GPS/Wi-Fi location details)
  • Payment details
  • Device information
  • Voice recording (often used for MFA verification)

Many apps have compulsory questions to round out your profile – if the app does not need it, don’t give it.

  • Age and Gender
  • Occupation
  • Language spoken
  • Height and weight
  • Shoe and hat size
  • Workout or exercise details
  • Sports and hobbies (play or follow)
  • Female menstrual cycle
  • Sleep schedule (or take it from your smartwatch)

If you use social media to sign in, then all data is passed up the line (to Facebook, for example) to verify you. But that also means it may ask for

  • Family and friend’s details (to set up targets and groups of friends – Facebook downloads your contacts file and uses this to link you to others)

Regrettably, the research could not locate cloud location, app developer country of origin or analyse in more detail the ‘terms of use’ that can also hide fine print.

Why does this matter for health and quasi-medical apps?

In general terms you don’t want personal data in the public domain.

Most of these apps sell your data to Facebook, especially if you participate in leader boards and group challenges. It is not benign as Facebook is the most data-hungry app on the planet, and you cannot trust it. #Delete Facebook

Others sell data to companies that can use it. For example, health and life insurance companies want to know. Some sell to medical practitioner networks or worse – baby shops – to drum up business.

Some sell to brokers that hawk your data to others that, when aggregated with other data, can deanonymise you – in other words, the app you use may be the key to demystifying your profile.

And some sell data to the dark web to round out your profile.

Other apps have a hidden purpose. Femm, a fertility app funded by anti-abortion, anti-gay Catholic campaigners, ‘sows doubt about the safety and efficacy of hormonal birth control.’

What to do when Apple’s iPhone asks?

First, no app should gather data all the time, so only allow the app permission to do so when you use it. No app should be allowed to run in the background.

Second, if an app asks for more than it needs to do its job, deny that permission. For example, asking you to take a photo and record your voice means they can access your camera and mic.

Never use social media logins – always use your ‘junk’ email address and a strong password. That way, if the app gets hacked, you will get a notification.

Never answer questionnaires that ask for details outside what it needs. If you do, it could secretly be adding permissions like accessing your pedometer or linking to other apps.

Read the privacy policy – yes, you know the 5000-word small print.

Look at the app developers pedigree. Just because it is on Apple App Store does not mean it is good. It could come from a third-world country. It could target advertisements and even steal your ID.

The post Health and quasi-medical apps are data harvesting appeared first on GadgetGuy.


0 comments:

Post a Comment