As we noted yesterday, the app store can be tough to navigate when you’re in the market for health or fitness support. Those apps often require personal medical information, and have little or no privacy protections in place for the user, said researcher Beth Givens, director of Privacy Rights Clearinghouse in San Diego.
In her study of 43 of the most popular health apps, many had high levels of security risks for the user, sending unencrypted data to unidentified third parties unbeknownst to the user. Free apps, which depend on advertiser revenue, were the worst offenders.
“It’s an unregulated industry, so there are no standards,” Givens told HealthBiz Decoded. “I’d love to see developers put some standards in place, but that hasn’t happened yet.”
To accompany Givens’s tips for consumers selecting personal health apps, technical researcher Craig Michael Lie Njie of Kismet World Wide Consulting offered advice to developers on how to stand out from the crowd and create a product that protects users’ information privacy.
Developers can moderate risk by how they collect, store and transmit data, but nevertheless, the more user data an app collects, and the more sensitive that data is, the greater the privacy risk to the user of that app.
Most app developers aren’t creating security vulnerabilities maliciously, Njie said, they simply don’t have a checklist for keeping user privacy protected.
Tips and best practices for designing and making an app
- Never send user information or passwords as clear text.
- Make sure all network communication is encrypted: always use HTTPS, not HTTP, to transmit user data to an Internet server.
- Ideally, do not use ads in your app. If you must use ads, do not share personal user information with the advertisers. Everything you communicate should be sent by HTTPS.
- If your app shares information with third party analytics services (which is not recommended) make sure all data is made anonymous before it is sent.
- Do not collect, store or transmit data that isn’t absolutely required for the app to function.
- Do not expose personal information in URLs. Consider this example:
A casual observer could deduce that the user has AIDs, is in New York and was diagnosed in January of 2013. A better URL would be:
Make sure the URL expires after the first time a user loads it or requires a cookie to access it.