They handle user data that is far more sensitive than other apps. Nonetheless, providers of eHealth apps often neglect not only data protection but also intentionally lure in users with free health gimmicks in order to monetize the data. The latest study by the data protection experts at the AV-TEST Institute uncover this and other unacceptable practices.

They count the number of elapsed kilometers, ingested calories and fertile days. They record high blood pressure, depressions and diet deficiencies. They dial 911, provide health tips, assist in the search for physicians and medications, and even remind patients to take their medicine on time. Health apps for Android smartphones promise to support those who are sick as well as those who wish to lead healthier lives. And indeed, already more than 100,000 such apps assist millions of people in their efforts to get more physical exercise, eat a healthier diet, record and interpret their own body and vital signs, and optimize their own behavior accordingly. This provides a vast and promising market for app developers, the sports, medical and equipment industry. Yet also for advertisers, health insurance providers and other companies who make a business with user data.

there is clear evidence that most apps seek to access data unnecessary for the deployment of the app (see red and yellow dots in the chart).

in the Play Store by mid-March. Otherwise, the apps will be excluded from the App Store. ( Picture rights belong to TNW )

In the evaluation of 60 eHealth apps in the privacy check by the AV-TEST Institute

Highly-sensitive user data recorded by users themselves

Apps of this nature record relevant data on their users via an array of sensors that are built into modern smartphones. But also via a fast-growing number of peripheral devices such as scales, fitness trackers and other measuring devices. And not least, users voluntarily provide the data requested by the apps; always under the assumption that certainly the app providers will treat the requested data confidentially and protect it accordingly. Because unlike others, the apps available in Google's Play Store in the categories of "Health & Fitness", "Medicine" and "Lifestyle" record and use large amounts of personal data, including health data.

The 60 apps evaluated by the data protection experts at the AV-TEST Institute indicate a broad cross-section of the eHealth apps offered free of charge in the Google Play Store. They included Android programs for diagnosing possible diseases, search apps for medical information, pharmacies and physicians, fitness trackers such as apps for monitoring vital signs, e.g. calorie counters, diabetes diaries and fertility planners, sleep monitoring apps and baby diaries.

High legal hurdles and concerns by users

In accordance with the EU's data protection directive, the German Federal Data Protection Act (BDSG), as well as special legal regulations, personal data of this nature generally enjoys special protection. For example, its collection, processing and use requires the consent of those involved. What's more, information concerning data collection, processing and use must be "comprehensive and transparent", and the processing and use of data in foreign countries must be disclosed accordingly. In the case of health data, the legal requirements are even significantly more restrictive.

These legal requirements ought to allay the concerns of persons using such apps: According to a current study of the Allensbach Institute, users are not prepared to share the data of their fitness trackers with companies, i.e. their health insurance provider. Even if the disclosure of this data would lead to a partial reimbursement of health insurance premiums, more than half of all those surveyed would clearly be opposed to this.

Little helpers, free of charge, as data bait

The legal requirements and concerns of users, however, are at odds with the practical handling of user data by many providers of eHealth apps. Instead of offering effective data protection, they lure in users with free apps in order to gain access to their health data. This is revealed in the latest study by the AV-TEST Institute. In random tests, the experts examined both the scope and the quality of the data recorded by the applications. In doing so, they assessed them in relation to the application purpose and weighted the data acquisition accordingly. The data protection experts examined whether and how well app providers fulfill legal requirements concerning their duty to inform when acquiring and using data. Furthermore, the testers checked the data traffic of the apps. In the process, they investigated the tools with which the apps recorded data and the channels of these data flows. https://mlp-ag.de/redaktion/mlp-ag-de/gesundheitsreport-microsite/2016/mlp-gesundheitsreport-2016-pk-praesentation-final.pdf (only available in German)

Over 80% lack a proper privacy policy!

The providers of health apps fall short even when it comes to the legal duty to inform the user on data acquisition and use: Of the 60 Android applications examined, a mere 32 offered a direct link from Google's Play Store to a privacy policy. However, only 22 were available via the link, ten apps led the user nowhere or rather onto orphaned websites. Only 19 out of 60 apps provided a privacy policy directly related to the application evaluated. For 53 out of 60 apps, the existing privacy policy dated back to the year 2014 or even earlier – or there was no information as to when the policy was valid.

In the meantime, these unacceptable conditions have apparently aroused the ire of Google as well, as the provider of the world's largest app store has announced drastic measures for app developers: At the beginning of February, Google informed app providers via email if their apps did not conform to the Play Store rules concerning the handling of user data. In this, the US corporation set a deadline of March 15 to remedy any improprieties. Otherwise, app providers may face drastic measures, including being kicked out of the Play Store. According to estimates by the media portal "The Next Web", millions of apps could be affected by this in the future. Already in the year 2014, a GPEN study documented the fact that 85% of the apps had insufficient privacy policies.

Massive critical data access

Whether a privacy policy existed or not, many of the eHealth apps examined by AV-TEST proved extremely access hungry when it came to the information of their users. The access authorizations that the apps allowed themselves in the practical test on mobile devices were accordingly vast. In addition to access to the user and device data, many apps also demanded access to photos and other data stored on mobile devices. Also in high demand: geo data as well as device IDs and call information. 12 apps demanded direct access to the camera, 7 wanted to freely use the microphone, 3 even required full telephony functions of the smartphones. Only 8 apps in the test demanded no access rights whatsoever.

The testers evaluated the necessity of the access rights demanded by the apps, taking into consideration the app functionality. If the access rights were not necessary for the core functions or a necessity was not apparent, the testers rated such access attempts as "critical". Of 186 access requests generated in the test, the experts rated as many as 77 queries as unnecessary for app deployment, and thus as "critical". One app, for example, in recording female menstruation cycles, wanted to be informed of the whereabouts of its female users. Another offered to disseminate relevant information via social networks.

Unsecured data transmission and ad tracking in plain text

In the current test, the security experts also looked at the data traffic of the eHealth apps. In doing so, it was revealed in the apps that providers are already working heavily with data acquisition tools and tracking instruments from third-party providers from the advertising industry, including Google and Flurry Analytics, Baidu, as well as automatic forwarding to Facebook.

Furthermore, the testers discovered that app providers, to the extent that they inform users via privacy policy at all concerning data disclosures to third parties, named at best Google Analytics. All other advertising networks remained undisclosed and could only be revealed in the lab through analysis of the data traffic of the apps by means of special forensics software. For novice users, the automatic disclosure of their data to third parties for advertising purposes is neither apparent nor can it be restricted in any form whatsoever.

Within the scope of this study, it was also revealed that data of all kinds is exchanged between apps and the servers of the providers, as well as affiliated advertising networks. Information that could be easily intercepted by attackers (man-in-the-middle attack) included sensitive user data such as logging of authentications, i.e.: also user names and corresponding passwords. Along with the reality that many apps disclose users' data without their knowledge to third parties comes the fact that in doing so, no provision is even made for sufficient protection measures, such as encrypted data transmission.

Data protection is a basic right!

Although in Germany and Europe health apps have become increasingly popular in recent years and can be found on the devices of many end users, there continues to be no official quality controls or seals of approval for evaluating the trustworthiness or data protection quality of such apps. The call for more data protection of apps by private players such as Google is encouraging, yet hardly credulous. After all, the company is among those that stand to gain the most from worldwide data trading.

A recent comment from Germany's Federal Minister of the Interior, Thomas de Maizière, in the daily newspaper, "Der Tagespiegel", illuminates the dilemma: "Data protection is not an end in itself. Rather, the objective is to protect people's privacy and general right of personality. In doing so, it is by no means clear what is meant by privacy. Some people consider their privacy breached when someone sends them advertising whereas others are only threatened when someone breaks into their apartment." Contrary to what Minister de Maizière believes, German laws and legal precedents clearly define the areas where citizens' privacy and right of personality are breached and are therefore to be protected. Specifically, not only when it comes to burglary but also concerning unsolicited advertising in their mailbox as well as by email, phone and fax. And as opposed to the views of the Minister of the Interior, data protection is indeed an end in itself, as is clearly stated in Article 8.1 of the EU Charter of Fundamental Rights. It says there that "Everyone has the right to the protection of personal data concerning him or her." And it goes on to say in Section 3: "Compliance with these rules shall be subject to control by an independent authority."

The German government must finally fulfill this statutory duty. The objective is to create the necessary national standards for the protection of German consumers as quickly as possible and at the same time to implement European law. Hoping for voluntary renunciation of user data by means of a "Code of Conduct" through self-commitment by the app providers cannot replace the enforcement of existing law for the protection of consumers.

Up to now, consumers have been on their own

Up until the needed implementation of legal regulations, users of health apps are left on their own to protect their data. As the latest data protection study of eHealth apps from AV-TEST demonstrates, users should take a close look at which app they allow onto their smartphone or tablet. That is why it is crucial, wherever possible, to examine the access rights of the apps in the App Store in order to keep data spies away from one's own devices.

As an independent test institute, AV-TEST will continue to keep a close eye on the market of health apps in the future. Within the scope of this study, a functional privacy test was developed in which in addition to checking the privacy policy, it is examined which data an app records, how it stores and uses this data, whether the data collection and use is necessary for the deployment of the app and whether relevant data is disclosed to third parties. Apps that complete this rapid test with a clean bill of health in terms of data protection will be recognized in the future by the new AV-TEST privacy logo.