A big review finds many health apps are oversharing on users’ behalf.

An in-depth analysis of more than 20,000 health-related mobile applications has found “serious problems with privacy and inconsistent privacy practices”.

The researchers say the collection of personal user information is “a pervasive practice” and that patients “should be informed on the privacy practices of these apps and the associated privacy risks before installation and use.”

Tens of thousands of apps are now offered on all major devices to manage health conditions, check symptoms, track menstruation and count steps or calories. This means many of the apps contain sensitive health information.

App developers routinely, and legally, share user data, but inadequate privacy disclosures have been repeatedly found for many health apps, preventing users from making informed choices on the data.

Researchers at Macquarie University have taken more than 15,000 free health apps in the Google Play store and compared their privacy practices with a random sample of more than 8,000 non-health apps.

They found that while health apps collected less user data than other types of mobile apps, 88 per cent could access and potentially share personal data.

For example, about two thirds could collect advert identifiers or cookies, one third could collect a user’s email address, and about a quarter could identify the mobile phone tower to which a user’s device is connected, potentially providing information on the user’s geolocation.

Only 4 per cent of health apps actually transmitted data (mostly user’s name and location information). However, the researchers say this percentage is substantial and should be taken as a lower bound for the real data transmissions performed by the apps.

Additionally, 87.5 per cent of data collection operations and 56 per cent of user data transmissions were on behalf of third party services, such as external advertisers, analytics, and tracking providers, and 23 per cent of user data transmissions occurred on insecure communication channels.

The top 50 third parties were responsible for most (68 per cent) of the data collection operations, which most commonly were a small number of tech corporations, including Google, Facebook, and Yahoo!

The researchers also found that 28 per cent of the health apps did not offer any privacy policy text, and at least 25 per cent of user data transmissions violated what was stated in the privacy policies. However, only 1.3 per cent of user reviews raised concerns about privacy.

The researchers pointed out that consumers can make it more difficult to be tracked by disabling advert identifiers, adjusting app permissions, and using advert blockers, but say “we must also advocate for greater scrutiny, regulation, and accountability on the part of key players behind the scenes - the app stores, digital advertisers, and data brokers - to address whether these data should exist and how they should be used, and to ensure accountability for harms that arise”.

The study is accessible here.