Mobile healthcare (mHealth) applications promise convenient, continuous patient-provider interaction but also introduce severe and often underexamined security and privacy risks. We present an end-to-end audit of 272 Android mHealth apps from Google Play, combining permission forensics, static vulnerability analysis, and user review mining. Our multi-tool assessment with MobSF, RiskInDroid, and OWASP Mobile Audit revealed systemic weaknesses: 26.1% request fine-grained location without disclosure, 18.3% initiate calls silently, and 73 send SMS without notice. Nearly half (49.3%) still use deprecated SHA-1 encryption, 42 transmit unencrypted data, and 6 remain vulnerable to StrandHogg 2.0. Analysis of 2.56 million user reviews found 28.5% negative or neutral sentiment, with over 553,000 explicitly citing privacy intrusions, data misuse, or operational instability. These findings demonstrate the urgent need for enforceable permission transparency, automated pre-market security vetting, and systematic adoption of secure-by-design practices to protect Protected Health Information (PHI).
翻译:移动医疗(mHealth)应用虽有望实现便捷、持续的医患互动,但也带来了严重且常被忽视的安全与隐私风险。本研究对Google Play商店的272款Android移动医疗应用进行了端到端审计,综合运用权限取证、静态漏洞分析和用户评论挖掘方法。通过MobSF、RiskInDroid和OWASP移动审计工具的多维度评估,揭示了系统性缺陷:26.1%的应用在未告知情况下请求精确定位权限,18.3%的应用可静默拨打电话,73款应用未经提示发送短信。近半数(49.3%)应用仍使用已弃用的SHA-1加密算法,42款应用传输未加密数据,6款应用存在StrandHogg 2.0漏洞风险。对256万条用户评论的分析显示,28.5%呈负面或中性评价,其中超过55.3万条明确提及隐私侵犯、数据滥用或运行不稳定问题。这些发现表明,亟需建立可执行的权限透明机制、自动化的上市前安全审查体系,并系统化采用安全设计实践,以保护受保护健康信息(PHI)。
微信扫码咨询专知VIP会员