Over 100 free and paid Health and quasi-medical apps on the Apple App Store were analysed for their data-harvesting. For the most part, they collect way more data than they need to do the job. These included health, fitness, fertility, diet, sleep, yoga, and cycling apps.
Now it is not just Apple – Google Play also has many of these apps. The research is particularly timely in light of Apple’s iOS update that requires you to give permissions on an app-by-app basis. It focused on the privacy policies of each app. Paid apps were preferred as there are many more backdoors in free or freemium ones. Here is a general warning about Health and quasi-medical apps.
What permissions should you be granting an app? As few as possible. For example, why would Fitbit (now owned by Google) and GoogleFit be two of the most intrusive health apps when all you may use it for is a pedometer? Why does Down Dog need to know so much when it is a yoga instruction app? Diet apps are also among the most intrusive.
Any paid app that requires you to create an account and sign-in will, at a minimum, have:
Address (it already has GPS/Wi-Fi location details)
Voice recording (often used for MFA verification)
Many apps have compulsory questions to round out your profile – if the app does not need it, don’t give it.
Age and Gender
Height and weight
Shoe and hat size
Workout or exercise details
Sports and hobbies (play or follow)
Female menstrual cycle
Sleep schedule (or take it from your smartwatch)
If you use social media to sign in, then all data is passed up the line (such as to Facebook) to verify you. This also means it may ask for your family and friend’s details to target them as well.
Why does this matter for health and quasi-medical apps?
In general terms you don’t want personal data in the public domain. Most of these apps sell your data to Facebook, especially if you participate in leader boards and group challenges. It is not benign as Facebook is the most data-hungry app on the planet, and you cannot trust it. #Delete Facebook
Others sell data to companies that can use it. For example, health and life insurance companies want to know about your wellness habits. Some sell to medical practitioner networks or worse – baby shops – to drum up business.
Some sell to brokers that hawk your data to others that, when aggregated with other data, can de-anonymise you. In other words, the app you use may be the key to adding your real name to your profile. Lastly, some sell data to the dark web to round out your profile.
Other apps have purposes. Femm, a fertility app funded by anti-abortion, anti-gay Catholic campaigners, “sows doubt about the safety and efficacy of hormonal birth control.”
What to do when Apple’s iPhone asks?
First, no app should gather data all the time, so only allow the app permission to do so when you use it. No app should be allowed to run in the background.
Second, if an app asks for more than it needs to do its job, deny that permission. For example, asking you to take a photo and record your voice means they can access your camera and mic.
Never use social media logins – always use your ‘junk’ email address and a strong password. That way, if the app gets hacked, you will get a notification.
If available, use Apples own ‘Sign-in with Apple’ feature that shields you from using your private email address and personal details.
Never answer questionnaires that ask for details outside what it needs. If you do, it could secretly be adding permissions like accessing your pedometer or linking to other apps.
Look at the app developers pedigree. Just because it is on Apple App Store does not mean it is good. It could come from a third-world country. It could target advertisements and even steal your ID.