Security Challenges in Android mHealth Apps Permissions: A Case Study of Persian Appsand
In this study, Persian Android mobile health (mhealth) applications were studied to describe usage of dangerous permissions in health related mobile applications. So the most frequently normal and dangerous permissions used in mHealth applications were reviewed.
Material and Methods:
We wrote a PHP script to crawl information of Android apps in “health” and “medicine” categories from Cafebazaar app store. Then permission information of these application were extracted.
11627 permissions from 3331 studied apps were obtained. There was at least one dangerous permission in 48% of reviewed apps. 41% of free applications, 53% of paid applications and 71% of in-purchase applications contained dangerous permissions. 1321 applications had writing permission to external storage of phone (40%), 1288 applications had access to read from external storage (39%), 422 applications could read contact list and ongoing calls (13%) and 188 applications were allowed to access phone location (5%).
Most of Android permissions are harmless but significant number of the apps have at least one dangerous permission which increase the security risk. So paying attention to the permissions requested in the installation step is the best way to ensure that the application installed on your phone can only access what you want.
App stores that host hundreds of thousands of applications (apps) are the main distribution channel for mobile health (mHealth) apps and users can download and install third-party apps from these markets . App stores have created a new software deployment ecosystem which are technically different from traditional methods [2-4]. Some third-party developers are malicious, most authors of applications are not security experts and their code may contain vulnerabilities .
Android is a privilege-separated operating system which additional security features are provided through permissions. Permission mechanism enforces restrictions on the specific operations that a particular process can perform. A basic Android application cannot do anything that would impact the user privacy or any data on the device, because it has no permissions associated with it by default. In the process of installing an application, the list of permissions that the app requests is shown to the user. The user should decide to accept or cancel installation. These permissions are not shown at any time after than installation step . To make use of protected features of the device, one or more <uses-permission> tags must be included in the app manifest file . For example, Fig 1 shows permission definition in manifest file to monitor incoming SMS messages in the app.
Android permissions have several protection levels. Two most important protection levels are normal and dangerous permissions. Normal permissions do not pose much risk to the user's privacy or operation of device and the system automatically grants them. For example, permission to set the time zone is a normal permission. Dangerous permissions could potentially affect the user's privacy or the normal operation of device, therefore the system asks the user to explicitly grant those permissions in the manifest file. For example, the ability to read the user's contacts is a dangerous permission. Table 1 lists all dangerous permissions in Android according to Google .
Dangerous permissions in Android apps
Several studies have been done on vulnerabilities in the mobile applications but few of them have discussed Android permissions vulnerabilities. A Study by Felt et.al  Considered 100 paid and 856 free applications from the Android Market. Selected apps in that survey was not limited to health related topics and did not compare mobile applications based on their categories. In another study , requested permissions in a large number of Android applications were studied but they did not mention details of their sample and application’s topic. None of these studies focused on mHealth apps permissions and vulnerabilities. In this survey, we considered only Android mHealth apps in health and medicine categories. Most of Iranian users download apps from Persian app stores. “Cafebazaar” is the largest Iranian Android app store and contained more than 3500 apps in medical and health categories in 2016 . The study aims to describe security challenges of released mHealth apps permissions in Persian Android app store “Cafebazaar”.
MATERIAL AND METHODS
We wrote a PHP script to crawl information of Android apps in “health” and “medicine” categories from Cafebazaar app store in August 2019. We also crawled list of permissions used in gathered apps. The information of 3390 apps were gathered in this two categories. After review information 59 apps were excluded because their scope did not relate to medicine and health. Based on the apps description we defined eight subcategories under “health” and “medicine” categories: “drug information”, “traditional medicine”, “fitness”, “health education”, “pregnancy and parturition”, “diet and nutrition”, “health test results” and “self-monitoring”. Permissions of selected apps were overviewed and security challenges from different viewpoints were analyzed.
Total number of permissions used in these apps were 11627 permissions. Number of unique permissions requested in all studied apps were 365 permissions. Table 2 lists 15 top most frequently requested permissions out of 365 total different permissions in developing mHealth apps. More than 90% of total requested permissions in 3331 studied apps were permissions listed in Table 2.
Six of 15 most frequently requested permissions are dangerous. 1321 applications had writing permission to external storage of phone (40%), 1288 apps had access to read from external storage (39%), 422 apps could read contact list and ongoing calls (13%) and 188 apps requested ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION permissions were allowed to access phone location (2%) (Table 2). Fig 2 shows comparison of top dangerous permissions used in studied apps. In this figure, the distribution of apps based on their price and purchase type (free, paid, in-purchase) is also considered. 41% of free apps, 53% of paid apps and 71% of in-purchase apps contained dangerous permissions.
Fifteen most frequently (90%) requested permissions in developing Persian Android mHealth apps
Fig 3 shows number of apps grouping by number of requested dangerous permissions. There is at least one dangerous permission in 48% of reviewed apps. Our results show 6% of studied apps had more than 5 dangerous permissions. In other words, about 94% of studied apps had 1-5 dangerous permissions. Also there is an app with 13 dangerous permissions which contained the most number of dangerous permission in just one application.
Table 3 describes usage of permissions by most active mobile health application developers. 15 developers with the highest number of published applications in the health field were selected. 362 mHealth apps were published in Cafebazaar app store by these active developers. Totally 1108 permissions were used in these apps, which 478 permissions were dangerous permissions (43%).
We defined 8 subcategories in health and medicine to compare applications based on their topic in Cafebazaar app store. We also selected top 10 most popular mHealth apps and put them in 8 predefined subcategories. As Table 4 shows, we can see distribution of dangerous permissions in these most popular mHealth apps. WRITE_EXTERNAL_STORAGE, READ_EXTERNAL_STORAGE, READ_PHONE_STATE, GET_ACCOUNTS, ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION, CAMERA and READ_CONTACTS are dangerous permissions used in these 80 popular apps.
Total number of dangerous permissions requested in these apps is 123 with the average of 1.5 per app. Minimum and maximum number of dangerous permissions in selected popular apps has been observed in the “health test results” and “self-monitoring” subcategories respectively. Permissions to transfer data with external storage that includes WRITE_EXTERNAL_STORAGE and READ_EXTERNAL_STORAGE are the most frequent dangerous permissions in all subcategories.
The use of permissions by most active mHealth apps developers in Cafebazaar app store
Dangerous permissions of most popular mHealth apps in different subcategories
This survey was one of the first to study security challenges of Android mHealth apps. Our study results indicate the status of dangerous permissions usage in mHealth apps which almost half of the apps have at least one dangerous permission. Although we focused on mHealth apps in this survey, the results of our study about the most frequent dangerous permissions are consistent with the results of previous studies. The order of requested dangerous permissions is almost the same. Data transmission with external storage, get phone status information, access to the location and read contacts list are ordinary the most frequent dangerous permissions in these studies [12, 13].
Unnecessary permission warnings in over privileged applications reduced user’s attention to warning about apps vulnerabilities . Although Android’s permission system is intended to inform users about the risks of installing apps, current Android permission warnings do not help most users make good security decisions . The results of a study conducted by Enck  showed that only 17% of participants paid attention to permissions during installation and usually Android permission warnings are ignored by users. Most surveys have found that people are very protective of their personal data when asked directly about their privacy preferences [16, 17] but their actions do not always correspond to their preferences [18, 19]. This may be because users overestimate their privacy or they do not understand what actions violate their privacy preferences.
We considered the number of dangerous permissions requested in an app as an indicator of application vulnerability. Storage group permissions are the most requested dangerous permissions in all subcategories. In many mobile applications, some of the information needs to be stored in storage, so access to external storage in these apps should be considered. For example, to store data logs in self-monitoring apps, the application should be able to write to the external storage. It requires WRITE_EXTERNAL_STORAGE permission. Also, to retrieve data stored in storage, display it in the app or report to the user, the application should have access to read stored information. To this end, READ_EXTERNAL_STORAGE permission should be defined at development time. Self-monitoring apps help users creating a healthy lifestyle. These apps let users view a complete history of their health data, including activity, sleep, weight, and monitor blood pressure, heart rate and pulse wave velocity. Users can see their trends, track progress, and improve over time. In self-monitoring apps GPS is used to help users tracking steps. The use of GPS in app requires ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION permissions. In some apps, users can share their photos. Due to the fact that access to the camera should exist in these apps, the CAMERA permission is required. Our study results show the apps in self-monitoring subcategory have the highest levels of vulnerability.
INTERNET permission was the most common requested permission in studied apps. Most of the time, the log of health data is sent to the server as soon as phone device is connected to the Internet. Most of apps allow users to share their health information on social networks with friends and family and experience a healthy competition with each other. Also large number of mHealth apps update their content continuously. INTERNET permission is required to sync data stored on the phone with server, share information and update content of applications. In some other studies [6, 20], the INTERNET permission has been reported as the most frequent dangerous permission. Since INTERNET permission was requested by many apps so Google decided to change its protection level to normal and no longer consider INTERNET as a dangerous permission. In this study we did not consider INTERNET as a dangerous permission by itself but when Internet connection is allowed with a dangerous permission in an application simultaneously, the risk of privacy violations increase significantly.
There were some limitations in our study. In this study we just considered published applications in Cafebazaar app store as the most popular Persian Android app store. Although there are several other Persian app stores, there is a big difference between the number of released apps in Cafebazaar and other app stores. We had collected and reviewed all apps in both health and medicine categories but it is possible that a limited number of developers put their health-related apps in other categories. We did not consider these mHealth apps in our study.
There are a lot of permissions that Android developers use to make their products work well. Most of permissions are harmless but when normal permissions are used together in an application, the possibility of some threats are increased. Also, the use of some normal permissions, such as INTERNET permission, with dangerous permissions can increase the risk. So pay attention to the permissions requested in the installation step is the best way to ensure that the application installed on your phone can only access what you want.
The authors agree on this final form of the manuscript, and attested that all authors contributed in the final draft of the manuscript.
CONFLICTS OF INTEREST
The authors declare no conflicts of interest regarding the publication of this study.
No financial interests related to the material of this manuscript have been declared.