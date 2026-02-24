Oversecured found 1,500 vulnerabilities across 10 mental health apps with over 14 million downloads

Exposed therapy transcripts, mood logs, medication schedules, and other sensitive data

Therapy records can sell for $1,000+ each; many apps lacked updates, raising security risks

Some mental health apps are actually adding to the pressure by exposing users’ sensitive medical information, experts have warned.

Security researchers Oversecured recently analyzed 10 mental health mobile apps in the Android ecosystem, cumulatively downloaded more than 14 million times, finding they contained more than 1,500 vulnerabilities, of which 54 were deemed high severity.

“These apps collect and store some of the most sensitive personal data in mobile: therapy session transcripts, mood logs, medication schedules, self-harm indicators, and in some cases, information protected under HIPAA,” the researchers said in a new report.

Unique risks

The vulnerabilities could be abused in various ways, but primarily to expose sensitive user data, such as therapy details, Cognitive Behavioral Therapy (CBT) session notes, and various scores.

The issues can also be used to intercept login credentials, spoof notifications, inject malicious HTML code, or even locate the user.

Oversecured said that in some instances they discovered configuration data in plaintext, including backend API endpoints and hardcoded Firebase database URLs. Some of the apps use the cryptographically insecure java.util.Random class for generating session tokens and encryption keys.

For Sergey Toshin, founder of Oversecured, mental health data carries “unique risks”, which is something that cybercriminals seem to be particularly aware of, noting how therapy records sell for $1,000 or more per record, “far more than credit card numbers”.

One thing that could have given these apps away as risky is their update cadence, as only four received an update as recently as this month, while the rest haven’t been updated in months, sometimes years.

To remain secure, going for popular apps with plenty of downloads and positive reviews is no longer enough. Users should choose apps that are actively supported and receive regular updates.

Via BleepingComputer

