Millions of users affected: Popular health apps leak your most personal data

Several mental health apps for mobile phones with millions of downloads on Google Play contain security vulnerabilities that could expose users' sensitive medical information

In fact, in one of the applications, security researchers discovered more than 85 medium and high severity vulnerabilities that could be exploited to compromise treatment data and user privacy.

Some of the products are artificial intelligence companions designed to help people suffering from clinical depression, multiple forms of anxiety, panic attacks, stress and bipolar disorder.

At least six out of ten apps analyzed state that user conversations or chats remain private or are securely encrypted on the provider's servers.

Over 1.500 security issues found

The Oversecured scanned ten mobile apps advertised as tools that can help with various mental health problems and revealed a total of 1.575 vulnerabilities security (54 with a high severity rating, 538 moderate severity and 983 low severity).

While none of the issues discovered are critical, many can be exploited to steal login credentials, fake notifications, HTML injection or to identify the user.

The researchers used the Oversecured scanner to check the APK files of ten mental health apps for known vulnerability patterns across dozens of categories.

In a report shared with the BleepingComputer, the researchers say that some of the verified apps "parse user-provided URIs without sufficient validation."

A treatment application with more than one million downloads uses it Intent.parseUri() to an externally controlled string and initiates the resulting messaging object (intent) without validating the target element.

This allows an attacker to force the application to open any internal activity, even if it is not intended for external access.

Another issue is storing data locally in a way that provides read access to any app on the device. Depending on the information stored, this could expose treatment details, such as treatment records, Cognitive Behavioral Therapy (CBT) session notes, etc.CBT) and various ratings.

Η Oversecured states that they also discovered plain text configuration data, including support API endpoints and a database URL Firebase with embedded code, within the application resources (APK).

Additionally, some of the vulnerable applications use insecure class cryptography. java.util.Random to generate session tokens or encryption keys.

According to the researchers, most of the 10 apps lack any form of root detection. On a rooted device (jailbroken), any app with root privileges has access to all health data stored locally.

Η Oversecured says that six out of the ten applications analyzed "had zero high-severity findings, but still had medium-severity issues that weakened their overall security posture».

From his observations BleepingComputer, the collective number of downloads for the apps scanned by Oversecured is over 14.7 million and only four were updated just this month. For the rest, the last update date was as recent as November 2025 or even September 2024.

His scans Oversecured took place between January 22 and 23 and targeted the latest versions of applications available at the time. Researchers cannot confirm whether any of the uncovered vulnerabilities have been addressed.

The BleepingComputer declined to disclose the names of the affected applications, as the vulnerabilities are still being disclosed by the Oversecured.

Do not forget to follow it Xiaomi-miui.gr on Google News to be informed immediately about all our new articles! You can also if you use RSS reader, add our page to your list by simply following this link >> https://xiaomi-miui.gr/feed

Follow us on Telegram so you can be the first to hear about our news! (English version HERE)