{"id":"https://openalex.org/W4414981004","doi":"https://doi.org/10.48550/arxiv.2510.06015","title":"\"Your Doctor is Spying on You\": An Analysis of Data Practices in Mobile Healthcare Applications","display_name":"\"Your Doctor is Spying on You\": An Analysis of Data Practices in Mobile Healthcare Applications","publication_year":2025,"publication_date":"2025-10-07","ids":{"openalex":"https://openalex.org/W4414981004","doi":"https://doi.org/10.48550/arxiv.2510.06015"},"language":"en","primary_location":{"id":"pmh:oai:arXiv.org:2510.06015","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2510.06015","pdf_url":"https://arxiv.org/pdf/2510.06015","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},"type":"preprint","indexed_in":["arxiv","datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://arxiv.org/pdf/2510.06015","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5060679116","display_name":"Lois Stevenson","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Stevenson, Luke","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5059400253","display_name":"Sanchari Das","orcid":"https://orcid.org/0000-0003-1299-7867"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Das, Sanchari","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":2,"corresponding_author_ids":["https://openalex.org/A5060679116"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11446","display_name":"Mobile Health and mHealth Applications","score":0.9150000214576721,"subfield":{"id":"https://openalex.org/subfields/3600","display_name":"General Health Professions"},"field":{"id":"https://openalex.org/fields/36","display_name":"Health Professions"},"domain":{"id":"https://openalex.org/domains/4","display_name":"Health Sciences"}},"topics":[{"id":"https://openalex.org/T11446","display_name":"Mobile Health and mHealth Applications","score":0.9150000214576721,"subfield":{"id":"https://openalex.org/subfields/3600","display_name":"General Health Professions"},"field":{"id":"https://openalex.org/fields/36","display_name":"Health Professions"},"domain":{"id":"https://openalex.org/domains/4","display_name":"Health Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/permission","display_name":"Permission","score":0.7807000279426575},{"id":"https://openalex.org/keywords/mhealth","display_name":"mHealth","score":0.6384999752044678},{"id":"https://openalex.org/keywords/health-care","display_name":"Health care","score":0.586899995803833},{"id":"https://openalex.org/keywords/audit","display_name":"Audit","score":0.5809000134468079},{"id":"https://openalex.org/keywords/android","display_name":"Android (operating system)","score":0.5799000263214111},{"id":"https://openalex.org/keywords/confidentiality","display_name":"Confidentiality","score":0.5248000025749207},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.517799973487854},{"id":"https://openalex.org/keywords/data-breach","display_name":"Data breach","score":0.45100000500679016},{"id":"https://openalex.org/keywords/mobile-device","display_name":"Mobile device","score":0.4480000138282776},{"id":"https://openalex.org/keywords/information-privacy","display_name":"Information privacy","score":0.42579999566078186}],"concepts":[{"id":"https://openalex.org/C2779089604","wikidata":"https://www.wikidata.org/wiki/Q7169333","display_name":"Permission","level":2,"score":0.7807000279426575},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.7193999886512756},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.7110999822616577},{"id":"https://openalex.org/C2779363104","wikidata":"https://www.wikidata.org/wiki/Q17069079","display_name":"mHealth","level":3,"score":0.6384999752044678},{"id":"https://openalex.org/C160735492","wikidata":"https://www.wikidata.org/wiki/Q31207","display_name":"Health care","level":2,"score":0.586899995803833},{"id":"https://openalex.org/C199521495","wikidata":"https://www.wikidata.org/wiki/Q181487","display_name":"Audit","level":2,"score":0.5809000134468079},{"id":"https://openalex.org/C557433098","wikidata":"https://www.wikidata.org/wiki/Q94","display_name":"Android (operating system)","level":2,"score":0.5799000263214111},{"id":"https://openalex.org/C71745522","wikidata":"https://www.wikidata.org/wiki/Q2476929","display_name":"Confidentiality","level":2,"score":0.5248000025749207},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.517799973487854},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.48570001125335693},{"id":"https://openalex.org/C165609540","wikidata":"https://www.wikidata.org/wiki/Q1172486","display_name":"Data breach","level":2,"score":0.45100000500679016},{"id":"https://openalex.org/C186967261","wikidata":"https://www.wikidata.org/wiki/Q5082128","display_name":"Mobile device","level":2,"score":0.4480000138282776},{"id":"https://openalex.org/C123201435","wikidata":"https://www.wikidata.org/wiki/Q456632","display_name":"Information privacy","level":2,"score":0.42579999566078186},{"id":"https://openalex.org/C2780476252","wikidata":"https://www.wikidata.org/wiki/Q6036832","display_name":"Inquest","level":2,"score":0.3903999924659729},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.38749998807907104},{"id":"https://openalex.org/C80958533","wikidata":"https://www.wikidata.org/wiki/Q1047174","display_name":"Audit trail","level":3,"score":0.38600000739097595},{"id":"https://openalex.org/C10511746","wikidata":"https://www.wikidata.org/wiki/Q899388","display_name":"Data security","level":3,"score":0.3612000048160553},{"id":"https://openalex.org/C2988145974","wikidata":"https://www.wikidata.org/wiki/Q620615","display_name":"Mobile apps","level":2,"score":0.35280001163482666},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.3504999876022339},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.33340001106262207},{"id":"https://openalex.org/C2780433410","wikidata":"https://www.wikidata.org/wiki/Q5276090","display_name":"Digital health","level":3,"score":0.33340001106262207},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.3237000107765198},{"id":"https://openalex.org/C184356942","wikidata":"https://www.wikidata.org/wiki/Q830382","display_name":"Best practice","level":2,"score":0.3224000036716461},{"id":"https://openalex.org/C2780967490","wikidata":"https://www.wikidata.org/wiki/Q1291200","display_name":"Mobile malware","level":3,"score":0.3222000002861023},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.3151000142097473},{"id":"https://openalex.org/C137822555","wikidata":"https://www.wikidata.org/wiki/Q2587068","display_name":"Information sensitivity","level":2,"score":0.30880001187324524},{"id":"https://openalex.org/C558872910","wikidata":"https://www.wikidata.org/wiki/Q165950","display_name":"Espionage","level":2,"score":0.298799991607666},{"id":"https://openalex.org/C69360830","wikidata":"https://www.wikidata.org/wiki/Q1172237","display_name":"Data Protection Act 1998","level":2,"score":0.29649999737739563},{"id":"https://openalex.org/C180198813","wikidata":"https://www.wikidata.org/wiki/Q121182","display_name":"Information system","level":2,"score":0.2906999886035919},{"id":"https://openalex.org/C195910791","wikidata":"https://www.wikidata.org/wiki/Q1324077","display_name":"Medical record","level":2,"score":0.2906000018119812},{"id":"https://openalex.org/C144543869","wikidata":"https://www.wikidata.org/wiki/Q2738570","display_name":"Mobile computing","level":2,"score":0.28839999437332153},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.2881999909877777},{"id":"https://openalex.org/C2778306010","wikidata":"https://www.wikidata.org/wiki/Q606563","display_name":"Health Insurance Portability and Accountability Act","level":3,"score":0.28299999237060547},{"id":"https://openalex.org/C133652896","wikidata":"https://www.wikidata.org/wiki/Q7251300","display_name":"Protected health information","level":5,"score":0.27570000290870667},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.26249998807907104},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.2599000036716461},{"id":"https://openalex.org/C102938260","wikidata":"https://www.wikidata.org/wiki/Q1999831","display_name":"Privacy policy","level":3,"score":0.25600001215934753},{"id":"https://openalex.org/C2776788033","wikidata":"https://www.wikidata.org/wiki/Q320769","display_name":"Eavesdropping","level":2,"score":0.2524999976158142},{"id":"https://openalex.org/C95491727","wikidata":"https://www.wikidata.org/wiki/Q992968","display_name":"Mobile telephony","level":3,"score":0.25029999017715454}],"mesh":[],"locations_count":2,"locations":[{"id":"pmh:oai:arXiv.org:2510.06015","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2510.06015","pdf_url":"https://arxiv.org/pdf/2510.06015","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},{"id":"doi:10.48550/arxiv.2510.06015","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2510.06015","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:oai:arXiv.org:2510.06015","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2510.06015","pdf_url":"https://arxiv.org/pdf/2510.06015","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4414981004.pdf","grobid_xml":"https://content.openalex.org/works/W4414981004.grobid-xml"},"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Mobile":[0,51],"healthcare":[1],"(mHealth)":[2],"applications":[3],"promise":[4],"convenient,":[5],"continuous":[6],"patient-provider":[7],"interaction":[8],"but":[9],"also":[10],"introduce":[11],"severe":[12],"and":[13,17,39,49,66,84,129],"often":[14],"underexamined":[15],"security":[16,127],"privacy":[18,108],"risks.":[19],"We":[20],"present":[21],"an":[22],"end-to-end":[23],"audit":[24],"of":[25,92,132],"272":[26],"Android":[27],"mHealth":[28],"apps":[29],"from":[30],"Google":[31],"Play,":[32],"combining":[33],"permission":[34,123],"forensics,":[35],"static":[36],"vulnerability":[37],"analysis,":[38],"user":[40,95],"review":[41],"mining.":[42],"Our":[43],"multi-tool":[44],"assessment":[45],"with":[46,103],"MobSF,":[47],"RiskInDroid,":[48],"OWASP":[50],"Audit":[52],"revealed":[53],"systemic":[54],"weaknesses:":[55],"26.1%":[56],"request":[57],"fine-grained":[58],"location":[59],"without":[60,70],"disclosure,":[61],"18.3%":[62],"initiate":[63],"calls":[64],"silently,":[65],"73":[67],"send":[68],"SMS":[69],"notice.":[71],"Nearly":[72],"half":[73],"(49.3%)":[74],"still":[75],"use":[76],"deprecated":[77],"SHA-1":[78],"encryption,":[79],"42":[80],"transmit":[81],"unencrypted":[82],"data,":[83],"6":[85],"remain":[86],"vulnerable":[87],"to":[88,135],"StrandHogg":[89],"2.0.":[90],"Analysis":[91],"2.56":[93],"million":[94],"reviews":[96],"found":[97],"28.5%":[98],"negative":[99],"or":[100,112],"neutral":[101],"sentiment,":[102],"over":[104],"553,000":[105],"explicitly":[106],"citing":[107],"intrusions,":[109],"data":[110],"misuse,":[111],"operational":[113],"instability.":[114],"These":[115],"findings":[116],"demonstrate":[117],"the":[118],"urgent":[119],"need":[120],"for":[121],"enforceable":[122],"transparency,":[124],"automated":[125],"pre-market":[126],"vetting,":[128],"systematic":[130],"adoption":[131],"secure-by-design":[133],"practices":[134],"protect":[136],"Protected":[137],"Health":[138],"Information":[139],"(PHI).":[140]},"counts_by_year":[],"updated_date":"2026-03-12T08:34:05.389933","created_date":"2025-10-10T00:00:00"}