The pandemic has made us all more aware of our health, and since we’ve all been spending a lot more time stuck at home, our phones have been the first port of call. But when it comes to health and wellbeing apps, how much information should we be sharing? And which apps best protect our data?
We’ve been working with Which? to assess some popular apps to understand how well they protect users’ privacy and security and identify the common mistakes.
We looked at each app’s password protection and security, how many permissions they requested and how many cookies were running on their associated websites.
The apps we looked at fell into three categories, mindfulness, sleep, and wellbeing; weight loss and fitness; and medical services.
Across all three categories we found a common theme with password strength. Many apps allowed users to use ‘Password1’ or similarly weak password to protect their data. Many apps also didn’t offer two factor authentication.
When we looked at cookies and permissions, some apps were better than others, but one stood out as using far more than we would deem necessary.
Which? shared our findings with the companies so they could respond and sort out any serious issues.
We used a rooted android mobile device (Google Pixel 3a) for all our testing and created an account for each app using a combination of weak passwords.
To see how the apps stored the passwords on the device, we inspected the data folders of each app by searching for keywords like ‘encrypted,’ ‘email,’ ‘password,’ and others. We also identified what hashing algorithm the apps were using for encrypting plaintext passwords.
All the apps we looked at allowed the use of weak passwords, such as ‘Password1’ but some even allowed simply ‘password.’
Weak passwords pose a risk to customer data security as they can be easily guessed and are vulnerable to password spraying attacks. If companies want to do all they can to protect users’ data, then they should not be letting these kinds of passwords through.
We found that passwords for Sleep Cycle and Noom weren’t protected on the mobile app on end-user devices. However, it’s likely they were protected at the back end. When Which? spoke to them about our findings, Sleep Cycle said this issue would be ‘corrected promptly.’
Several of the apps we looked at didn’t offer two-factor authentication (2FA), including all three of the medical service apps.
Ada told Which? they were reviewing their authentication process and 2FA will be available soon. And Babylon said they would be enhancing the protections they currently have in place.
For each app we assessed, we also looked at their websites and analysed the cookies they used. The main types of cookies are:
Nearly all the websites we looked at used more cookies than we would deem necessary, but Weight Watchers had both the most cookies generally and tracking cookies in particular. We found a total of 225 cookies, including just one necessary and 87 tracking.
Noom’s website used just 39 cookies in total, with only three for tracking. However, medical services app, Ada came out top with just two cookies – one for performance and one functional.
We also identified a few other security issues while looking at the websites, including security holes in the Sleep Cycle and Weight Watchers websites. And we found that the Strava website was using out of date and vulnerable software.
Developers should only need to use permissions for things that will make the app work better, so we were sceptical about some of the permission requests we found.
The Babylon Android app requested 30 permissions – more than any other we looked at, but the Android apps for Weight Watchers, Noom, MyFitnessPal, MapMyRun and Strava all asked for more than 20 permissions each.
As the healthtech sector continues to grow, companies must ensure they’re doing all they can to protect their users’ data. Suffering a breach or not complying with regulations can see companies facing fines from the regulators but also damage to their reputation.
By working with Which? we’ve shown how some of the biggest names in the sector still need to improve and highlighted the common mistakes to avoid.