HIV apps vulnerable to privacy, security breaches

Mobile phone apps for the prevention and care of human immunodeficiency virus (HIV) and other sexually transmitted diseases (STDs) are fraught with security concerns, according to a letter to the editor of the Journal of Medical Internet Research.

HIV/STD prevention and care services via smartphone apps is "an area of rapid and immense growth" in which users are potentially vulnerable to confidentiality and security breaches when downloading these apps, argue the authors.

"The concern arises when the app is not developed by a named professional healthcare body/organization and there is no assurance of confidentiality," states the letter. "Today's smartphone applications often fail to provide users with visibility into where their private data is being stored and how it is being used. There are often significant social implications associated with a diagnosis of HIV and the secure storage of their personal information is of immense importance to those living with the condition."

"...Even individuals simply looking for information on the topic, or calculating their risk of contracting a STD after unprotected sexual intercourse, may be concerned if an unverified smartphone application had access to their personal information including precise location."

In particular, the letter calls into question "permissions" that an app may require for optimum functioning involve access to and control of sensitive personal data. As the authors point out, apps often have legitimate reasons for accessing this sensitive and private data. For instance, permission to obtain the exact GPS location of the app user is necessary if the app is designed to provide information on the nearest HIV/STD testing center. In addition, if the app is designed as a personal assistant for those living with HIV, access to the user's calendar is important to remind them of their next hospital appointment. However, other permissions might be more insidious. 

"When downloading an app, the user is asked to authorize the 'permissions' requested by the application," states the letter. "There are over 100 different 'permissions' requested by smartphone applications. While some of the 'permissions' requested are harmless, many raise serious concerns regarding the confidentiality and security of the apps requesting them."

The authors recommend that consumers pay attention to the HIV/STD app developer in order to ascertain if it is a reputed body. In addition, the article advises that users note the permissions requested by the apps and only proceed with the download if they are comfortable with these requests. 

"Whilst more vigilance amongst app users is essential, it is also the responsibility of the companies that offer these apps to ensure their products are not malicious and employ the highest levels of data protection software," state the authors.

According to the letter, Apple's iTunes Store states that all their apps are pre-screened prior to making them available for download. However, the authors assert that the "recent controversy surrounding Apple, for enabling the download of malicious apps that stole their users' address books, show that this screening process is not infallible."

According to web analytics and privacy group Evidon, the top 20 most popular health, wellness and fitness apps, including WebMD Health, are actively sharing user data with as many as 70 third-party companies. Evidon's findings were featured in a recent Financial Times article which revealed that the third parties often use the information gathered from consumers who are tracking diseases, diets and bicycle trip distances to build profiles or display personalized ads.

To learn more:
- read the letter to the editor