NHS-approved apps found ‘leaking’ ID data

Many NHS-accredited smartphone health apps leak data that could be used for ID theft and fraud, a study has found. The apps are included in NHS England’s Health Apps Library, which tests programs to ensure they meet standards of clinical and data safety. But the study by researchers in London discovered that, despite the vetting, some apps flouted privacy standards and sent data without encrypting it.

The apps in the library are aimed at helping people lose weight, stop smoking, be more active and cut back on drinking. Of the total, 70 sent personal data to associated online services and 23 did so without encrypting it. The study found that four apps sent both personal and health data without protecting it from potential eavesdropping. If intercepted the data could be used for ID theft or fraud.

More than half of the apps had a privacy policy but many of these were vaguely worded and did not let people know what types of data were being shared.

“A new, more thorough NHS endorsement model for apps has begun piloting this month.”

This study reveals the shortcomings of many app developers who were a) not following well-established ways of handling personal data and b) unaware of the many security issues that need to be addressed when developing apps. More info in app security can be found here.

Posted in Apps, Design, Security, Software Development