1. Department of Medical Informatics, School of Medicine, Mashhad University of Medical Sciences, Mashhad, Iran.
In this study, Persian Android mobile health (mhealth) applications were studied to describe usage of dangerous permissions in health related mobile applications. So the most frequently normal and dangerous permissions used in mHealth applications were reviewed.
We wrote a PHP script to crawl information of Android apps in “health” and “medicine” categories from Cafebazaar app store. Then permission information of these application were extracted.
11627 permissions from 3331 studied apps were obtained. There was at least one dangerous permission in 48% of reviewed apps. 41% of free applications, 53% of paid applications and 71% of in-purchase applications contained dangerous permissions. 1321 applications had writing permission to external storage of phone (40%), 1288 applications had access to read from external storage (39%), 422 applications could read contact list and ongoing calls (13%) and 188 applications were allowed to access phone location (5%).
Most of Android permissions are harmless but significant number of the apps have at least one dangerous permission which increase the security risk. So paying attention to the permissions requested in the installation step is the best way to ensure that the application installed on your phone can only access what you want.
Received: 2020 June 23; Revision Received: 2020 July 13; Accepted: 2020 August 24
App stores that host hundreds of thousands of applications (apps) are the main distribution channel for mobile health (mHealth) apps and users can download and install third-party apps from these markets . App stores have created a new software deployment ecosystem which are technically different from traditional methods [2-4]. Some third-party developers are malicious, most authors of applications are not security experts and their code may contain vulnerabilities .
Android is a privilege-separated operating system which additional security features are provided through permissions. Permission mechanism enforces restrictions on the specific operations that a particular process can perform. A basic Android application cannot do anything that would impact the user privacy or any data on the device, because it has no permissions associated with it by default. In the process of installing an application, the list of permissions that the app requests is shown to the user. The user should decide to accept or cancel installation. These permissions are not shown at any time after than installation step . To make use of protected features of the device, one or more <uses-permission> tags must be included in the app manifest file . For example, Fig 1 shows permission definition in manifest file to monitor incoming SMS messages in the app.
Android permissions have several protection levels. Two most important protection levels are normal and dangerous permissions. Normal permissions do not pose much risk to the user's privacy or operation of device and the system automatically grants them. For example, permission to set the time zone is a normal permission. Dangerous permissions could potentially affect the user's privacy or the normal operation of device, therefore the system asks the user to explicitly grant those permissions in the manifest file. For example, the ability to read the user's contacts is a dangerous permission. Table 1 lists all dangerous permissions in Android according to Google .
Several studies have been done on vulnerabilities in the mobile applications but few of them have discussed Android permissions vulnerabilities. A Study by Felt et.al  Considered 100 paid and 856 free applications from the Android Market. Selected apps in that survey was not limited to health related topics and did not compare mobile applications based on their categories. In another study , requested permissions in a large number of Android applications were studied but they did not mention details of their sample and application’s topic. None of these studies focused on mHealth apps permissions and vulnerabilities. In this survey, we considered only Android mHealth apps in health and medicine categories. Most of Iranian users download apps from Persian app stores. “Cafebazaar” is the largest Iranian Android app store and contained more than 3500 apps in medical and health categories in 2016 . The study aims to describe security challenges of released mHealth apps permissions in Persian Android app store “Cafebazaar”.
We wrote a PHP script to crawl information of Android apps in “health” and “medicine” categories from Cafebazaar app store in August 2019. We also crawled list of permissions used in gathered apps. The information of 3390 apps were gathered in this two categories. After review information 59 apps were excluded because their scope did not relate to medicine and health. Based on the apps description we defined eight subcategories under “health” and “medicine” categories: “drug information”, “traditional medicine”, “fitness”, “health education”, “pregnancy and parturition”, “diet and nutrition”, “health test results” and “self-monitoring”. Permissions of selected apps were overviewed and security challenges from different viewpoints were analyzed.
Total number of permissions used in these apps were 11627 permissions. Number of unique permissions requested in all studied apps were 365 permissions. Table 2 lists 15 top most frequently requested permissions out of 365 total different permissions in developing mHealth apps. More than 90% of total requested permissions in 3331 studied apps were permissions listed in Table 2.
Six of 15 most frequently requested permissions are dangerous. 1321 applications had writing permission to external storage of phone (40%), 1288 apps had access to read from external storage (39%), 422 apps could read contact list and ongoing calls (13%) and 188 apps requested ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION permissions were allowed to access phone location (2%) (Table 2). Fig 2 shows comparison of top dangerous permissions used in studied apps. In this figure, the distribution of apps based on their price and purchase type (free, paid, in-purchase) is also considered. 41% of free apps, 53% of paid apps and 71% of in-purchase apps contained dangerous permissions.
|Permission||Dangerous Permission||Number of Apps|
(Allows applications to open network sockets)
(Allows an application to write to external storage)
(Allows an application to read from external storage)
(Allows In-app purchase)
(Allows applications to access information about networks)
(Allows access to the vibrator)
(Allows using PowerManager WakeLocks to keep processor from sleeping or screen from dimming)
(Allows read only access to phone state, including the phone number of the device, current cellular network information, the status of any ongoing calls, and a list of any phone accounts registered on the device)
(Allows automatically run an application on phone startup)
(Allows access to the list of accounts in the Accounts Service)
(Allows applications to access information about Wi-Fi networks)
(Allows an app to access approximate location)
(Allows an app to access precise location)
Fig 3 shows number of apps grouping by number of requested dangerous permissions. There is at least one dangerous permission in 48% of reviewed apps. Our results show 6% of studied apps had more than 5 dangerous permissions. In other words, about 94% of studied apps had 1-5 dangerous permissions. Also there is an app with 13 dangerous permissions which contained the most number of dangerous permission in just one application.
Table 3 describes usage of permissions by most active mobile health application developers. 15 developers with the highest number of published applications in the health field were selected. 362 mHealth apps were published in Cafebazaar app store by these active developers. Totally 1108 permissions were used in these apps, which 478 permissions were dangerous permissions (43%).
We defined 8 subcategories in health and medicine to compare applications based on their topic in Cafebazaar app store. We also selected top 10 most popular mHealth apps and put them in 8 predefined subcategories. As Table 4 shows, we can see distribution of dangerous permissions in these most popular mHealth apps. WRITE_EXTERNAL_STORAGE, READ_EXTERNAL_STORAGE, READ_PHONE_STATE, GET_ACCOUNTS, ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION, CAMERA and READ_CONTACTS are dangerous permissions used in these 80 popular apps.
Total number of dangerous permissions requested in these apps is 123 with the average of 1.5 per app. Minimum and maximum number of dangerous permissions in selected popular apps has been observed in the “health test results” and “self-monitoring” subcategories respectively. Permissions to transfer data with external storage that includes WRITE_EXTERNAL_STORAGE and READ_EXTERNAL_STORAGE are the most frequent dangerous permissions in all subcategories.
|Developer||Free apps||Paid apps||In-purchase apps||Total apps||Average of permissions per app||Average of dangerous permissions per app|
|Permission||Drug information||Traditional medicine||Fitness||Health education||Pregnancy and parturition||Diet and nutrition||Health test results||Self -monitoring||Sum|
This survey was one of the first to study security challenges of Android mHealth apps. Our study results indicate the status of dangerous permissions usage in mHealth apps which almost half of the apps have at least one dangerous permission. Although we focused on mHealth apps in this survey, the results of our study about the most frequent dangerous permissions are consistent with the results of previous studies. The order of requested dangerous permissions is almost the same. Data transmission with external storage, get phone status information, access to the location and read contacts list are ordinary the most frequent dangerous permissions in these studies [12, 13].
Unnecessary permission warnings in over privileged applications reduced user’s attention to warning about apps vulnerabilities . Although Android’s permission system is intended to inform users about the risks of installing apps, current Android permission warnings do not help most users make good security decisions . The results of a study conducted by Enck  showed that only 17% of participants paid attention to permissions during installation and usually Android permission warnings are ignored by users. Most surveys have found that people are very protective of their personal data when asked directly about their privacy preferences [16, 17] but their actions do not always correspond to their preferences [18, 19]. This may be because users overestimate their privacy or they do not understand what actions violate their privacy preferences.
We considered the number of dangerous permissions requested in an app as an indicator of application vulnerability. Storage group permissions are the most requested dangerous permissions in all subcategories. In many mobile applications, some of the information needs to be stored in storage, so access to external storage in these apps should be considered. For example, to store data logs in self-monitoring apps, the application should be able to write to the external storage. It requires WRITE_EXTERNAL_STORAGE permission. Also, to retrieve data stored in storage, display it in the app or report to the user, the application should have access to read stored information. To this end, READ_EXTERNAL_STORAGE permission should be defined at development time. Self-monitoring apps help users creating a healthy lifestyle. These apps let users view a complete history of their health data, including activity, sleep, weight, and monitor blood pressure, heart rate and pulse wave velocity. Users can see their trends, track progress, and improve over time. In self-monitoring apps GPS is used to help users tracking steps. The use of GPS in app requires ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION permissions. In some apps, users can share their photos. Due to the fact that access to the camera should exist in these apps, the CAMERA permission is required. Our study results show the apps in self-monitoring subcategory have the highest levels of vulnerability.
INTERNET permission was the most common requested permission in studied apps. Most of the time, the log of health data is sent to the server as soon as phone device is connected to the Internet. Most of apps allow users to share their health information on social networks with friends and family and experience a healthy competition with each other. Also large number of mHealth apps update their content continuously. INTERNET permission is required to sync data stored on the phone with server, share information and update content of applications. In some other studies [6, 20], the INTERNET permission has been reported as the most frequent dangerous permission. Since INTERNET permission was requested by many apps so Google decided to change its protection level to normal and no longer consider INTERNET as a dangerous permission. In this study we did not consider INTERNET as a dangerous permission by itself but when Internet connection is allowed with a dangerous permission in an application simultaneously, the risk of privacy violations increase significantly.
There were some limitations in our study. In this study we just considered published applications in Cafebazaar app store as the most popular Persian Android app store. Although there are several other Persian app stores, there is a big difference between the number of released apps in Cafebazaar and other app stores. We had collected and reviewed all apps in both health and medicine categories but it is possible that a limited number of developers put their health-related apps in other categories. We did not consider these mHealth apps in our study.
There are a lot of permissions that Android developers use to make their products work well. Most of permissions are harmless but when normal permissions are used together in an application, the possibility of some threats are increased. Also, the use of some normal permissions, such as INTERNET permission, with dangerous permissions can increase the risk. So pay attention to the permissions requested in the installation step is the best way to ensure that the application installed on your phone can only access what you want.
|1.||Xu, W. Liu, Y. mHealthApps: A repository and database of mobile health apps. JMIR Mhealth Uhealth 2015 3(1):e28.|
|2.||Harman, M. Jia, Y. Zhang, Y. App store mining and analysis: MSR for app stores IEEE Working Conference on Mining Software Repositories. IEEE 2012|
|3.||Lim, SL. Bentley, PJ. Investigating app store ranking algorithms using a simulation of mobile app ecosystems IEEE Congress on Evolutionary Computation. IEEE 2013|
|4.||Minelli, R. Lanza, M. Software analytics for mobile applications: Insights & lessons learned European Conference on Software Maintenance and Reengineering. IEEE 2013|
|5.||He, D. Naveed, M. Gunter, CA. Nahrstedt, K. Security concerns in Android mHealth apps. AMIA Annu Symp Proc 2014 2014:645–54.|
|6.||Felt, AP. Ha, E. Egelman, S. Haney, A. Chin, E. Wagner, D. Android permissions: User attention comprehension, and behavior Symposium on Usable Privacy and Security. ACM 2012|
|7.||Sbîrlea, D. Burke, MG. Guarnieri, S. Pistoia, M. Sarkar, V. Automatic detection of inter-application permission leaks in android applications. IBM Journal of Research and Development 2013 57(6):1–20.|
|8.||Google Developers. Android security guide [Internet]. 2012 [cited: 2 Jun 2010]. Available from: [WebCite Cache]|
|9.||Felt, AP. Greenwood, K. Wagner, D. The effectiveness of application permissions USENIX conference on Web application development. WebApps 2011|
|10.||Di, CF.; Girardello, A.; Michahelles, F.; Voronkova, S. Detection of malicious applications on android OS International Workshop on Computational Forensics. Springer; 2010.|
|11.||Ghazi, SM. Rostam, NKS. Nouria, R. Yasini, M. Persian mHealth apps: A cross sectional study based on use case classification. Stud Health Technol Inform 2016 228:230–4.|
|12.||Baalous, R. Poet, R. How dangerous permissions are described in android apps' privacy policies? International Conference on Security of Information and Networks. ACM 2018|
|13.||Wang, Y. Zheng, J. Sun, C. Mukkamala, S. Quantitative security risk assessment of android permissions and applications IFIP Annual Conference on Data and Applications Security and Privacy. Springer 2013|
|14.||Magat, WA. Viscusi, WK. Huber, J. Consumer processing of hazard warning information. Journal of Risk and Uncertainty 1988 1(2):201–32.|
|15.||Enck, W. Ongtang, M. McDaniel, P. On lightweight mobile phone application certification. ACM Conference on Computer and Communications Security ACM|
|16.||Ackerman, MS. Cranor, LF. Reagle, J. Privacy in e-commerce: Examining user scenarios and privacy preferences Conference on Electronic Commerce. ACM 1999|
|17.||Buchanan, T. Paine, C. Joinson, AN. Reips, UD. Development of measures of online privacy concern and protection for use on the Internet. Journal of the American Society for Information Science and Technology 2007 58(2):157–65.|
|18.||Acquisti, A. Privacy in electronic commerce and the economics of immediate gratification ACM Conference on Electronic Commerce. ACM 2004|
|19.||Jensen, C. Potts, C. Jensen, C. Privacy practices of Internet users: Self-reports versus observed behavior. International Journal of Human-Computer Studies 2005 63(1-2):203–27.|
|20.||Barrera, D. Kayacik, HG. Van, OPC. Somayaji, A. A methodology for empirical analysis of permission-based security models and its application to android Conference on Computer and Communications Security. ACM 2010|