A recent study has discovered that a number of NHS mobile health apps are not secure and leak data that could be used to enable identity theft and fraud.
Further to this some of the apps examined did not encrypt data when used thus severely exposing the user's personal information. The study entitled, "Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment", was conducted over 6 months from August 2013 to January 2014 and examined 79 apps stored in the NHS England's Health Apps library.
The NHS apps centred around such things as helping people lose weight, be more active and stop smoking. The study involved feeding fake data into the apps and then examining how the app handled it. The study aimed to asses the extent to which already certified and tested apps complied with data protection principles. Of the 79 apps available, 70 of these sent data to associated online services and 23 did this without encrypting the data, and 4 of the 79 apps sent both personal and health data without any protections. Most of the data obtained by the apps that was shared concerned the user's phone or their identity. The study also found that poor information privacy practices were prevalent in the apps. Further to this the privacy policies attached to these apps were found to be poorly drafted and vague. Due to how mobile apps are designed the average user cannot see the inner workings of how it operates and places confidence in the app being secure, especially when the app can record personal data such as medical information which at times can be highly sensitive. The results of the study have been published online and can be reviewed on the open access journal BMC medicine website. Although the world of mobile apps is moving rapidly and nearly every business has an app affiliated with it, these apps need to be tried and tested to a high standard before being released for use in the public domain. This includes their security and how they protect a user's privacy and personal data.
The study serves to highlight growing concerns around insecure data storage and how developers do not seem to understand the consequences of poor security practice.