Cyber: Android Mental Health Apps With 14.7m Installs Filled With Security...

Several mental health mobile apps with millions of downloads on Google Play contain security vulnerabilities that could expose users’ sensitive medical information.

Some of the products are AI companions designed to help people suffering from clinical depression, multiple forms of anxiety, panic attacks, stress, and bipolar disorder.

At least six of the ten analyzed apps state that user conversations or chats remain private, or are encrypted securely on the vendor’s servers.

“Mental health data carries unique risks. On the dark web, therapy records sell for $1,000 or more per record, far more than credit card numbers,” says Sergey Toshin, founder of mobile security company Oversecured.

Oversecured scanned ten mobile apps advertised as tools that can help with various mental health problems, and uncovered a total of 1,575 security vulnerabilities (54 rated high-severity, 538 medium-severity, and 983 low-severity).

Although none of the discovered issues are critical, many can be leveraged to intercept login credentials, spoof notifications, HTML injection, or to locate the user.

The researchers used the Oversecured scanner to check the APK files of the ten mental health applications for known vulnerability patterns in dozens of categories.

In a report shared with BleepingComputer, the researchers say that some of the verified apps “parse user-supplied URIs without adequate validation.”

One therapy app with more than one million downloads uses Intent.parseUri() on an externally controlled string and launches the resulting messaging object (intent) without validating the target component.

This allows an attacker to force the app to open any internal activity, even if it is not intended for external access.

Source: BleepingComputer