Mobile Mental Health Apps: Alternative Intervention or Intrusion?
Mental health is an extremely important subject, especially in these unprecedented times of the COVID-19 pandemic. Ubiquitous mobile phones can equip users to supplement psychiatric treatment and manage their mental health. Mobile Mental Health (MMH) apps emerge as an effective alternative to assist with a broad range of psychological disorders filling the much-needed patient-provider accessibility gap. However, it also raises significant concerns with sensitive information leakage.The absence of a transparent privacy policy and lack of user awareness may pose a significant threat to undermining the applicability of such tools. We conducted a multifold study of - 1) Privacy Policies (Manually and with Polisis, an automated framework to evaluate privacy policies); 2) App permissions; 3) Static Analysis for inherent security issues; 4) Dynamic Analysis for threat surface and vulnerabilities detection, and 5) Traffic Analysis. Our results indicate that apps' exploitable flaws, dangerous permissions, and insecure data handling pose a potential threat to the users' privacy and security. The Dynamic analysis identified 145 vulnerabilities in 20 top-rated MMH apps where attackers and malicious apps can access sensitive information. 45% of MMH apps use a unique identifier, Hardware Id, which can link a unique id to a particular user and probe users' mental health. Traffic analysis shows that sensitive mental health data can be leaked through insecure data transmission. MMH apps need better scrutiny and regulation for more widespread usage to meet the increasing need for mental health care without being intrusive to the already vulnerable population.