Exposed: The Risks of Using Popular Mental Health Apps with 14.7M Installs

Mental Health Apps on Google Play Expose Millions to Security Flaws

A recent study has revealed that several mental health mobile applications available on Google Play Store, with millions of downloads, contain critical security vulnerabilities that could potentially expose users’ confidential medical information.

Among the alarming findings, security researchers uncovered more than 85 medium- and high-severity vulnerabilities in one of the apps. These vulnerabilities could be exploited by malicious actors to compromise users’ therapy data and breach their privacy.

Notably, some of these apps are AI companions specifically designed to assist individuals dealing with clinical depression, various forms of anxiety, panic attacks, stress, and bipolar disorder.

One concerning aspect is that at least six out of the ten analyzed apps claim that user conversations or chats are kept private or encrypted securely on the vendor’s servers.

Sergey Toshin, the founder of mobile security company Oversecured, highlighted the unique risks associated with mental health data. He stated, “On the dark web, therapy records fetch prices of $1,000 or more per record, significantly higher than credit card numbers.”

Discovery of Over 1,500 Security Issues

Oversecured conducted scans on ten mental health mobile apps promoted as tools to aid various mental health issues. The scans uncovered a total of 1,575 security vulnerabilities, with 54 rated as high-severity, 538 as medium-severity, and 983 as low-severity.

Although none of the identified issues were classified as critical, they could still be exploited to intercept login credentials, spoof notifications, perform HTML injection, or track user locations.

During the analysis, Oversecured utilized their scanner to examine the APK files of the ten mental health apps for known vulnerability patterns across various categories.

One concerning revelation from the researchers is that some of the apps “parse user-supplied URIs without adequate validation,” potentially opening them up to security risks.

For instance, one therapy app with over a million downloads utilizes Intent.parseUri() on a string controlled externally, launching resulting messaging objects (intents) without proper validation of the target component.

This vulnerability could enable attackers to manipulate the app to access internal activities, potentially compromising authentication tokens and session data.

Another critical issue highlighted by Oversecured is the insecure storage of data locally, granting read access to any app on the device. This could lead to the exposure of therapy-related information such as entries, session notes, and scores.

The researchers also identified plaintext configuration data, including backend API endpoints and a hardcoded Firebase database URL, within the APK resources of some vulnerable apps.

Furthermore, certain apps with security flaws were found to use the cryptographically insecure java.util.Random class for generating session tokens or encryption keys.

According to Oversecured, most of the apps lacked root detection mechanisms. On rooted (jailbroken) devices, apps with root privileges can access all locally stored health data.

While six of the ten apps showed zero high-severity issues, they still contained medium-severity vulnerabilities that could compromise their overall security posture.

These apps are repositories of highly sensitive personal data, including therapy session transcripts, mood logs, medication schedules, self-harm indicators, and in some cases, information protected under HIPAA regulations.

Combined, the analyzed apps had amassed over 14.7 million downloads, with only a few receiving recent updates. The scans conducted by Oversecured took place in January, targeting the latest available versions of the apps, with the researchers unable to confirm if the identified vulnerabilities have since been addressed.

In line with responsible disclosure practices, BleepingComputer has refrained from disclosing the names of the affected apps while the vulnerabilities are being addressed by Oversecured.

Modern IT infrastructure evolves rapidly, outpacing manual workflows. Learn how to reduce delays, enhance reliability through automation, and build intelligent workflows using existing tools in the new Tines guide.

Get the guide