We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.


When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.

9 Jun 2021

Fit for purpose?: The health apps that pose security risks

Every time you use a health app or service you are sharing data. Some companies are hungrier for it, and less security conscious, than others.

Whether you're watching your weight, trying to get pregnant or keeping an eye on your mental health, there are apps and services designed to help you live a healthy life.

All these services require your data to some degree, and a Which? investigation has revealed that some are more demanding than others - and also less careful in terms of security against being hacked.

Our research has revealed security holes that could be exposed by cybercriminals, companies that use more cookies than a bakery, and privacy policies so dense that even a team of lawyers struggled to decode them.

Read on for more, or check our other report on medical apps: Ada, Babylon and WebMD.

Health and personal care - see reviews, ratings and advice on topics ranging from face masks to fitness trackers

Security risks with health apps

You might think that once an app appears on the Google Play or Apple App store, it's been vetted for security. But that's not actually the case.

In January 2021 we asked security researchers 6point6 to assess some popular apps and their associated websites for how well they protect your privacy and security.

We looked at what permissions the apps request, how many cookies they're using to track you online and whether their privacy policies are compliant with GDPR. We also used scanning tools to see if the companies have done all they can to prevent hackers from getting in and stealing your data.

SleepCycle and unencrypted passwords

SleepCycle is one of many apps designed to improve your sleep quality. However, we lost sleep over our test findings. We found flaws in one of its websites, and the SleepCycle app lets you use the weak password, 'password'. Worse still, we found user passwords were being stored on devices without encryption. SleepCycle told us that its software is up to date now and the hole in its website didn't leave any personal data exposed. It said it will review its password policy and look into our findings on storage and 'this will be corrected promptly'.

Out-of-date software

Just under a third of the 25 app companies that we scanned appeared to be using software on their websites that was not up to date with the latest security protections. While this might not seem like a risk, such security holes could give an opportunity to hackers. For example, it was reported that data on millions of Dixons Carphone customers in 2015 was breached after intruders gained access via an out-of-date WordPress interface. One caveat is that our scanning tools can only detect so far while staying within the law, plus some of the companies that did respond, such as SleepCycle, said that they have in fact updated their software.

Weak passwords allowed

Every single app that we tested accepted passwords that would be far too easy for hackers to crack. With such weak security, your account is immediately at risk: a weak password can be cracked in less than a second. Read our guide on how to create strong passwords for some pointers.

Gluttony for cookies

Cookies - small text files used to identify your device as you use an online service - can improve the digital experience but also be used for marketing and advertising.

When you click on the website for WW (formerly Weight Watchers), it chows down on a banquet of cookies. We found a staggering 225 cookies in use, including 87 there to track you.

As you can see in the below graphic, many of the cookies were being operated by third-party advertising firms, including YouTube, Google, Yahoo and AppNexus.

Bizarrely, at the time of testing, one of the highest cookies pages on the site (with more than 100 active) was the main page of the privacy policy. Yes, it's tracking you while you're reading about it tracking you.

WW told Which?: 'WW employs the guidelines, as outlined in PECR from the ICO. The website also contains a cookie management platform that is compliant with the IAB Europe's CMP Compliance Programme.

'We take data privacy seriously at WW GBR LIMITED, both locally and globally. The Cookie management platform we employ requires explicit consent before cookies are dropped onto a consumers [sic] device.

'Consumers have the right and ability to opt out 100% or choose which categories of data are processed on their visit to WW.COM/UK.'

MyFitnessPal had the second highest number of tracking cookies in our test, including a host of advertising companies active when you visit.

We found 138 cookies on the website, with only six deemed necessary, while 63 were being used to track you during your visit. We found 87 cookies being operated by third parties, including 25 advertising firms.

Under Armour, which runs MyFitnessPal, also didn't respond to our findings.

Health apps and data privacy

We used two teams of lawyers to analyse the privacy policies of the 25 apps and services we assessed. They ploughed through more than 1,000 pages of documents, containing more than 500,000 words - nearly as long as reading the entirety of War and Peace by Leo Tolstoy.

Aside from the sheer length of the reading, on several occasions we were left scratching our heads over whether they comply with the spirit of the General Data Protection Regulation (GDPR).

If you do want to know more about your privacy, we'd advise you to focus on the sections in policies on data collection. See what the providers declare and what they say about sharing your data with third parties. If it sounds a bit iffy, it's probably best to avoid the service.

Health apps and permissions

Another aspect to check is permissions. When you download an app it requests access to data or functions on your device, so it is worth checking if these seem proportionate.

One Android app we tested wanted access to 30 different permissions on your device, including your precise location, phone contacts, photos, microphone, vibration function and even, bizarrely, to use the torch if they so desired.

How to stay secure while using health apps

While there's clearly work to be done to shore up the issues we found with health apps, there are things you can do yourself to keep your data safe.

  • PasswordsAlways set strong passwords for your accounts - choose three random words as detailed in advice on setting strong passwords. Or better still, use a password manager.
  • 2FA None of the health apps we tested offered a full two-factor authentication (2FA) system for more effectively securing your account against hackers. You can sometimes link your Google account for extra security using Google's 2FA system, but be wary of any data trade-offs from that.
  • How to control your cookiesBy law, all websites must present you with a cookie warning when you first visit. This enables you to set what cookies you want active while you use the site. Just be careful when using these controls as they can often be designed to 'encourage' you to just accept everything. Web browsers are also starting to block third-party cookies by default, including Firefox, Google Chrome and Safari.