iPharmacy app puts personal, medical info at risk

The iPharmacy Drug Guide & Pill ID app, an Android app that has earned a top developer award from Google Play is also "one of the top offenders when it comes to risky privacy behaviors for apps in the health or medical category," according to a PC Magazine article

The app, designed to identify a person's pills and medication treatment, is "playing fast and loose" with users' medical and personal information, writes the author. The article cites Appthority, an application risk management service, which reports that the app has some serious problems that potential users should consider.

"While iPharmacy says that it encrypts your personal information, Appthority found that your username and password are merely 'encoded with a common encoding scheme' that is easy to decode," states the article. "Worse yet, your searches for drugs on the app are sent over the network, along with your user info, without any encryption at all."

In addition, Appthority discovered that iPharmacy sent personal information--such as phone number, device's IMEI number, exact geo-lcation, Wi-Fi access points currently in use (and used in the past), a list of apps on a device, wireless carrier and exact model of phone--to three different ad networks. Moreover, all activities within the app are tracked by numerous analytic networks like UrbanAirship and Google Analytics, the article found.

"Worst of all, the app's privacy policy makes many claims which Appthority found to be patently false," the author writes. "For instance, the statement says that iPharmacy will not collect information on users under the age of 18, but the app has no way to confirm the user's age. The statement also says that user information will be encrypted (it's not) and that it gathers 'non-personal information' but neglects to mention the multitude of personal information it does collect."

The inherent risk is that if the app is used on an unsecured wireless network, someone could intercept the information and see which drugs a person is searching for, as well as the medication reminders that have been set by the app. Besides the information about a person's medicines, a snoop on the network could also see personal information collected by the app. 

In July, the Privacy Rights Clearinghouse, a California nonprofit, issued a study on mobile health and fitness apps based on a technical risk assessment they performed to determine what data the apps collected, stored, and transmitted. After studying 43 popular apps (both free and paid) from a consumer and technical perspective, the group found "considerable privacy risks for users" and that the privacy policies for those apps that have policies do not describe those risks.

To learn more:
- read the article in PC Magazine