ISSUES

Introduction: In this study, Persian Android mobile health (mhealth) applications were studied to describe usage of dangerous permissions in health related mobile applications. So the most frequently normal and dangerous permissions used in mhealth applications were reviewed.

Materials and Methods: We wrote a PHP script to crawl information of Android apps in “health” and “medicine” categories from Cafebazaar app store. Then permission information of these application were extracted.

Results: 11627 permissions from 3331 studied apps were obtained. There was at least one dangerous permission in 48% of reviewed apps. 41% of free applications, 53% of paid applications and 71% of in-purchase applications contained dangerous permissions. 1321 applications had writing permission to external storage of phone (40%), 1288 applications had access to read from external storage (39%), 422 applications could read contact list and ongoing calls (13%) and 188 applications were allowed to access phone location (5%).

Conclusion: Most of Android permissions are harmless but significant number of the apps have at least one dangerous permission which increase the security risk. So paying attention to the permissions requested in the installation step is the best way to ensure that the application installed on your phone can only access what you want.

Xu W, Liu Y. mHealthApps: A repository and database of mobile health apps. JMIR Mhealth Uhealth. 2015; 3(1): e28. PMID: 25786060 DOI: 10.2196/mhealth.4026

Harman M, Jia Y, Zhang Y. App store mining and analysis: MSR for app stores. IEEE Working Conference on Mining Software Repositories. IEEE; 2012.

Lim SL, Bentley PJ. Investigating app store ranking algorithms using a simulation of mobile app ecosystems. IEEE Congress on Evolutionary Computation. IEEE; 2013.

Minelli R, Lanza M. Software analytics for mobile applications: Insights & lessons learned. European Conference on Software Maintenance and Reengineering. IEEE; 2013.

He D, Naveed M, Gunter CA, Nahrstedt K. Security concerns in Android mHealth apps. AMIA Annu Symp Proc. 2014; 2014: 645-54. PMID: 25954370

Felt AP, Ha E, Egelman S, Haney A, Chin E, Wagner D. Android permissions: User attention, comprehension, and behavior. Symposium on Usable Privacy and Security. ACM; 2012.

Sbîrlea D, Burke MG, Guarnieri S, Pistoia M, Sarkar V. Automatic detection of inter-application permission leaks in android applications. IBM Journal of Research and Development. 2013; 57(6): 1-20.

Google Developers. Android security guide [Internet]. 2012 [cited: 2 Jun 2010]. Available from: https://developer.android.com/guide/topics/security/security.html.

Felt AP, Greenwood K, Wagner D. The effectiveness of application permissions. USENIX conference on Web application development. WebApps; 2011.

Di Cerbo F, Girardello A, Michahelles F, Voronkova S. Detection of malicious applications on android OS. International Workshop on Computational Forensics. Springer; 2010.

Ghazi Saeedi M, Rostam Niakan Kalhori S, Nouria R, Yasini M. Persian mHealth apps: A cross sectional study based on use case classification. Stud Health Technol Inform. 2016; 228: 230-4. PMID: 27577377

Baalous R, Poet R. How dangerous permissions are described in android apps' privacy policies? International Conference on Security of Information and Networks. ACM; 2018.

Wang Y, Zheng J, Sun C, Mukkamala S. Quantitative security risk assessment of android permissions and applications. IFIP Annual Conference on Data and Applications Security and Privacy. Springer; 2013.

Magat WA, Viscusi WK, Huber J. Consumer processing of hazard warning information. Journal of Risk and Uncertainty. 1988; 1(2): 201-32.

Enck W, Ongtang M, McDaniel P. On lightweight mobile phone application certification. ACM Conference on Computer and Communications Security. ACM; 2009.

Ackerman MS, Cranor LF, Reagle J. Privacy in e-commerce: Examining user scenarios and privacy preferences. Conference on Electronic Commerce. ACM; 1999.

Buchanan T, Paine C, Joinson AN, Reips UD. Development of measures of online privacy concern and protection for use on the Internet. Journal of the American Society for Information Science and Technology. 2007; 58(2): 157-65.

Acquisti A. Privacy in electronic commerce and the economics of immediate gratification. ACM Conference on Electronic Commerce. ACM; 2004.

Jensen C, Potts C, Jensen C. Privacy practices of Internet users: Self-reports versus observed behavior. International Journal of Human-Computer Studies. 2005; 63(1-2): 203-27.

Barrera D, Kayacik HG, Van Oorschot PC, Somayaji A. A methodology for empirical analysis of permission-based security models and its application to android. Conference on Computer and Communications Security. ACM; 2010.