Multiple mental health apps riddled with high severity security flaws — data of millions put at risk, so be on your guard

News
By published

Researchers found 1,500 vulnerabilities in 10 popular apps installed nearly 15 million times

Mobile Security
(Image credit: Shutterstock.com)
  • Oversecured found 1,500 vulnerabilities across 10 mental health apps with over 14 million downloads
  • Exposed therapy transcripts, mood logs, medication schedules, and other sensitive data
  • Therapy records can sell for $1,000+ each; many apps lacked updates, raising security risks

Some mental health apps are actually adding to the pressure by exposing users’ sensitive medical information, experts have warned.

Security researchers Oversecured recently analyzed 10 mental health mobile apps in the Android ecosystem, cumulatively downloaded more than 14 million times, finding they contained more than 1,500 vulnerabilities, of which 54 were deemed high severity.

“These apps collect and store some of the most sensitive personal data in mobile: therapy session transcripts, mood logs, medication schedules, self-harm indicators, and in some cases, information protected under HIPAA,” the researchers said in a new report.

Unique risks

The vulnerabilities could be abused in various ways, but primarily to expose sensitive user data, such as therapy details, Cognitive Behavioral Therapy (CBT) session notes, and various scores.

The issues can also be used to intercept login credentials, spoof notifications, inject malicious HTML code, or even locate the user.

Oversecured said that in some instances they discovered configuration data in plaintext, including backend API endpoints and hardcoded Firebase database URLs. Some of the apps use the cryptographically insecure java.util.Random class for generating session tokens and encryption keys.

For Sergey Toshin, founder of Oversecured, mental health data carries “unique risks”, which is something that cybercriminals seem to be particularly aware of, noting how therapy records sell for $1,000 or more per record, “far more than credit card numbers”.

One thing that could have given these apps away as risky is their update cadence, as only four received an update as recently as this month, while the rest haven’t been updated in months, sometimes years.

To remain secure, going for popular apps with plenty of downloads and positive reviews is no longer enough. Users should choose apps that are actively supported and receive regular updates.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.