• Several mental health mobile apps with millions of downloads on Google Play contain security vulnerabilities that could expose users’ sensitive medical information. • In one of the apps, security researchers discovered more than 85 medium- and high-severity vulnerabilities that could be exploited to compromise users’ therapy data and privacy. • Some of the products are AI companions designed to help people suffering from clinical depression, multiple forms of anxiety, panic attacks, stress, and bipolar disorder. • At least six of the ten analyzed apps state that user conversations or chats remain private, or are encrypted securely on the vendor’s servers. • “Mental health data carries unique risks. • On the dark web, therapy records sell for $1,000 or more per record, far more than credit card numbers,” says Sergey Toshin, founder of mobile security company Oversecured.

Article Summaries:

  • Security researchers found 1,575 vulnerabilities across ten popular mental‑health apps on Google Play, many of which could expose sensitive therapy data. The scan, conducted by Oversecured, revealed 54 high‑severity, 538 medium‑severity, and 983 low‑severity issues in apps with over 14 million installs combined. While no critical flaws were reported, the weaknesses allow credential interception, spoofed notifications, HTML injection, and unauthorized access to internal activities that handle authentication tokens. Additional concerns include insecure local storage, plaintext API endpoints, and use of java.util.Random for session tokens. The findings highlight the need for stronger security in apps handling medical information.
  • A security audit by Oversecured found 1,575 vulnerabilities in ten mental‑health apps that together have over 14.7 million installs on Google Play. The flaws-54 high‑severity, 538 medium‑severity, and 983 low‑severity-could allow attackers to intercept login credentials, spoof notifications, or inject HTML, potentially exposing therapy records that fetch $1,000+ on the dark web. No critical bugs were reported, but several apps parse external URIs without validation and store data in ways that any device app can read. The scan also uncovered plaintext API endpoints and the use of insecure java.util.Random for session tokens.

Sources: