Mobile apps are used in a variety of health settings, from apps that help providers, to apps designed for patients, to health and fitness apps designed for the general public. These apps ask the user for, and then collect and leak a wealth of Personal Information (PI). We analyze the PI that apps collect via their user interface, whether the app or third-party code is processing this information, and finally where the data is sent or stored. Prior work on leak detection in Android has focused on detecting leaks of (hardware) device-identifying information, or policy violations; however no work has looked at processing and leaking of PI in the context of health apps. The first challenge we tackle is extracting the semantic information contained in app UIs to discern the extent, and nature, of personal information. The second challenge we tackle is disambiguating between first-party, legitimate leaks (e.g,. the app storing data in its database) and third-party, problematic leaks, e.g., processing this information by, or sending it to, advertisers and analytics. We conducted a study on 1,243 Android apps: 623 medical apps and 621 health&fitness apps. We categorize PI into 16 types, grouped in 3 main categories: identity, medical, anthropometric. We found that the typical app has one first-party leak and five third-party leaks, though 221 apps had 20 or more leaks. Next, we show that third-party leaks (e.g., advertisers, analytics) are 5x more frequent than first-party leaks. Then, we show that 71% of leaks are to local storage (i.e., the phone, where data could be accessed by unauthorized apps) whereas 29% of leaks are to the network (e.g., Cloud). Finally, medical apps have 20% more PI leaks than health&fitness apps, due to collecting additional medical PI.

翻译：移动应用在多种健康场景中得到使用，从辅助医疗服务提供者的应用，到为患者设计的应用，再到面向大众的健康与健身应用。这些应用向用户索取、收集并泄露大量个人信息。我们分析了应用通过用户界面收集的个人信息，无论这些信息是由应用自身还是第三方代码进行处理，并最终追踪数据的发送或存储位置。先前关于Android泄露检测的研究主要集中于检测（硬件）设备识别信息的泄露或策略违规；然而，尚无研究关注健康应用背景下个人信息的处理与泄露。我们应对的第一个挑战是提取应用用户界面中包含的语义信息，以辨明个人信息的范围和性质。第二个挑战是区分第一方（合法）泄露（例如，应用将数据存储在其数据库中）与第三方（有问题）泄露，例如，由广告和分析服务处理或发送这些信息。我们对1,243个Android应用进行了研究：623个医疗应用和621个健康与健身应用。我们将个人信息分为16种类型，归入3个主要类别：身份信息、医疗信息、人体测量信息。我们发现，典型应用存在一次第一方泄露和五次第三方泄露，尽管有221个应用存在20次或更多泄露。接下来，我们表明第三方泄露（例如，广告商、分析服务）的发生频率是第一方泄露的5倍。然后，我们指出71%的泄露是到本地存储（即手机，数据可能被未授权应用访问），而29%的泄露是到网络（例如，云端）。最后，由于收集了额外的医疗个人信息，医疗应用比健康与健身应用多出20%的个人信息泄露。