Many leading Android health apps require risky permissions that could expose users to avoidable threats, such as privacy violations or identity theft, according to an investigation by Cybernews.
Cybernews researchers tested permissions required by 50 popular health apps, including those for fitness, sleep tracking, meditation, mental health, quitting smoking, blood-sugar measurement, and medication reminders.
Many permissions are necessary for apps to function correctly. For instance, a fitness application needs location access to track the distance the user ran or cycled.
However, some permissions are riskier than others, as they could grant apps access to sensitive data and functionalities. If misused, it could compromise user privacy and security.
Granting these permissions to malicious apps — disguised as legitimate apps but designed to exploit a user’s data — can result in unauthorized access to personal information, leading to identity theft, data breaches, and privacy violations.
Most apps ask for risky permissions
Nearly half (44%) of Android health apps tested require "camera access" permission, which allows them to utilize the camera functionality for taking photos and recording videos. However, cameras can potentially capture sensitive and private information. Granting such permission to a malicious app could enable it to secretly take pictures or record videos without the user's knowledge or consent.
Most (58%) of tested apps have "read external storage permission," allowing the app to access files, documents, images, or other data stored on the device's external storage. If misused, it could lead to privacy breaches or unauthorized access to sensitive information stored by other apps or the user.
"Record audio" permission was detected in 12% of tested apps. It gives the app access to the device's microphone and allows recording audio. Misusing the permission can lead to serious privacy violations, such as recording conversations or ambient sounds without the user's knowledge or consent.
Half (52%) of tested apps have "write external storage" permission, which enables the app to write or modify data on the device's external storage, such as the SD card. If misused, this could lead to data loss, unauthorized modification of user files, or potential manipulation of sensitive data.
Nearly one in five (18%) of tested apps require "get accounts" permission that allows the app to access the list of accounts associated with the device, including Google and associated email. The permission is considered risky because, if misused, it could lead to unauthorized access to personal account information or potential phishing attacks.
"Read accounts" permission allowing the app to access the user's contacts or address book was detected in 18% of tested apps. If misused, it could lead to privacy violations, data harvesting, or unauthorized sharing of contact details with third parties.
A small share (4%) of tested apps have "access background location" permission. It allows the app to access the device's location even when the app is not actively being used. Such access may reveal a user's movements and behavior without their immediate awareness.
How to protect yourself?
Mantas Kasiliauskis, an information security researcher at Cybernews, says it is possible to revoke risky permissions granted while installing Android health apps.
"Go to your device's settings and find the "Apps" or "Application Manager" section. Then, tap on "Permissions" or a similar option and revoke any permissions that you think are excessive or unnecessary for the app to function. The other way is to uninstall the app," he told Healthnews.
Kasiliauskis says recognizing a malicious Android app may be challenging, as some are designed to appear legitimate. However, there are signs indicating that the app could be potentially dangerous, such as requesting too many permissions.
"For instance, a calculator app asking for access to your contacts and location, or a fitness app asking permission to call a phone or read SMS, is suspicious," he says.
If you realized you have installed a malicious app, uninstall it as soon as possible, Kasiliauskis says.
"After uninstalling the app, consider changing your passwords, especially for email, banking, and social media accounts. Alternatively, if you suspect your device is compromised and cannot be cleaned through standard means, factory reset the device," he adds.