Security Challenges in Iranian Android mHealth Apps Permissions

Background: Android is a popular platform for mobile applications development. It uses permissions to protect sensitive information of users and inform them about the app installation risks. Android permissions have several protection levels. The two most important protection levels are normal and dangerous permissions. Dangerous permissions could potentially affect the user s privacy or the device s normal operation so system asks the user to explicitly grant those permissions. Objectives: We study Iranian android mHealth applications to describe usage of dangerous permissions in health related mobile applications development. Materials/Patients and Methods: We wrote a PHP script to crawl permission information of android mHealth apps from the most popular Iranian android app store “Cafebazaar”. We overviewed most frequently normal and dangerous permissions used in mHealth apps development. Results: The information of 3602 apps were gathered from two categories medicine and health. 271 apps were removed in two phases. Total number of permissions used in 3331 remained apps are 11627 with the average of 3.49 permissions per app. Number of unique permissions used in studied apps are 365 different permissions. There is at least one dangerous permission in 48% of reviewed apps. 41% of free apps, 53% of paid apps and 71% of in-purchase apps contained dangerous permissions. 1321 applications had permission writing to external storage of phone (45%), 1288 apps had access to read from external storage (43%), 422 apps could read contact list and ongoing calls (13%) and 188 apps were allowed to access phone location (6%). Conclusion: Most of people are very protective about their privacy especially when asked directly about their personal information but they are not informed about the security challenges of personal data stored in phone. The intention of android’s permission mechanism is to warning about the risks of installing apps but in most of time users ignore them. The most common requested permission in studied apps is INTERNET which allows applications connect to internet (76% of apps). Internet connection is not considered as a dangerous permission by itself but when Internet permission is allowed with a dangerous permissions in an application simultaneously, the risk of privacy violations increased.