Date post: | 12-Apr-2017 |
Category: |
Health & Medicine |
Upload: | maria-wolters |
View: | 318 times |
Download: | 1 times |
BCS Health Informatics Scotland 2015
How Safe are mHealth Apps?
Maria Wolters1, Konstantin Knorr2, David Aspinall1, Kami Vaniea1
1 University of Edinburgh
2 University of Applied Sciences, Trier
Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015
That Finding Was Not a Surprise
❖ BBC report: Huckvale et al, BMC Medicine 2015 13:214 focus on apps included in the NHS app library, all conditions and purposes
❖ Knorr/Aspinall/Wolters (2015): On the Privacy, Security, and Safety of Blood Pressure and Diabetes Apps. in: Proc. IFIP focus on Android apps for monitoring blood pressure and blood glucose
Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015
Focus of this talk
❖ Knorr/Aspinall/Wolters (2015): On the Privacy, Security, and Safety of Blood Pressure and Diabetes Apps. in: Proc. IFIP Android apps for monitoring blood pressure and blood glucose, no prior vetting
Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015
Why Does It Matter?
❖ Some apps ask for personal identifying information, such as age / gender, or store location
❖ Some people would rather not want the world and their insurance company to know that their blood glucose levels are very high
❖ Some topics are sensitive (smoking, alcohol, mood, …)
Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015
Why Diabetes and Hypertension?❖ Highly prevalent in population
❖ Successful telehealthcare applications (cf. TeleScot results, McKinstry et al BMJ 2013; 346)
❖ Easily tracked by single key parameter (blood pressure / blood glucose)
❖ Require regular monitoring
❖ Apps can provide useful feedback to patient
❖ Data can be exported to health care provider
Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015
The Apps
❖ English or German user interface
❖ can be tested on Nexus 7, Android 4.4.2 (tests in late 2014)
❖ over 10,000 (free) / 1,000 (paid) downloads
❖ n=157
Database
FileSystem
Nexus 7
App Stores
Select, buy,download Apps
Extract APKs
Retrieve Meta Datalike Price, URL of Privacy Policy,Number of Downloads
Vendors WebSite
(B) Dynamic Analysis
(A) Static Analysis
RetrievePrivacyPolicies
(D) Analysis ofPrivacy Policy
APKs
Privacy Policies
GenerateStatistics
Statisticsand Findings
Save results ofTesting in Databaseand File System
Web Server
(C) Web ServerSecurity
App Store
Database
FileSystem
Nexus 7
App Stores
Select, buy,download Apps
Extract APKs
Retrieve Meta Datalike Price, URL of Privacy Policy,Number of Downloads
Vendors WebSite
(B) Dynamic Analysis
(A) Static Analysis
RetrievePrivacyPolicies
(D) Analysis ofPrivacy Policy
APKs
Privacy Policies
GenerateStatistics
Statisticsand Findings
Save results ofTesting in Databaseand File System
Web Server
(C) Web ServerSecurity
App Store
all apps
Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015
Key Results - Static Analysis❖ Many free apps use advertising add ons that pose massive privacy risks
❖ 6 apps were still debuggable
❖ 15 of 126 apps with Internet access permission were vulnerable to man in the middle attacks
Database
FileSystem
Nexus 7
App Stores
Select, buy,download Apps
Extract APKs
Retrieve Meta Datalike Price, URL of Privacy Policy,Number of Downloads
Vendors WebSite
(B) Dynamic Analysis
(A) Static Analysis
RetrievePrivacyPolicies
(D) Analysis ofPrivacy Policy
APKs
Privacy Policies
GenerateStatistics
Statisticsand Findings
Save results ofTesting in Databaseand File System
Web Server
(C) Web ServerSecurity
App Store
n=72
Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015
Key Results - Dynamic Analysis
❖ If somebody has your phone, they have your data - most apps do not encrypt
❖ Of 49 apps that export to SD card, only 1 encrypts; some do not include SD card in data wipe
❖ No provision for sending data and reports to carers and health care professionals in encrypted emails / encrypted PDFs
Database
FileSystem
Nexus 7
App Stores
Select, buy,download Apps
Extract APKs
Retrieve Meta Datalike Price, URL of Privacy Policy,Number of Downloads
Vendors WebSite
(B) Dynamic Analysis
(A) Static Analysis
RetrievePrivacyPolicies
(D) Analysis ofPrivacy Policy
APKs
Privacy Policies
GenerateStatistics
Statisticsand Findings
Save results ofTesting in Databaseand File System
Web Server
(C) Web ServerSecurity
App Store
n=20 had dedicated web server
Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015
Key Results - Web Analysis
Database
FileSystem
Nexus 7
App Stores
Select, buy,download Apps
Extract APKs
Retrieve Meta Datalike Price, URL of Privacy Policy,Number of Downloads
Vendors WebSite
(B) Dynamic Analysis
(A) Static Analysis
RetrievePrivacyPolicies
(D) Analysis ofPrivacy Policy
APKs
Privacy Policies
GenerateStatistics
Statisticsand Findings
Save results ofTesting in Databaseand File System
Web Server
(C) Web ServerSecurity
App Store
only 19% had one
Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015
Caveats
❖ Apps are ubiquitous, free apps are particularly tempting - but your medical data is the commodity
❖ Apps are not (expensive) medical devices that have to undergo rigorous testing
❖ If your phone is stolen and hacked, your data is unprotected
Wolters/Knorr/Aspinall/Vaniea BCS HCI 2015
What Now?❖ Support developers in best practice
❖ Create meaningful accreditation
❖ Educate patients
❖ … - over to you!
❖ Contact: Maria Wolters [email protected] @mariawolters