An empirical study on secure usage of mobile health apps: The attack simulation approach

Abstract

: Mobile applications (apps) have proven their usefulness in enhancing service provisioning across a multitude of domains that range from smart healthcare, to mobile commerce, and areas of context-sensitive computing. In smart healthcare context, mobile health (mHealth) apps - representing a specific genre of mobile apps that manage health information - face some critical challenges relating to security and privacy of device and user data. In recent years, a number of empirically grounded, survey-based studies have been conducted to investigate secure usage of mHealth apps. However, such studies rely on self-reported behaviors documented via interviews or survey questions that lack practical approaches that can simulate attack scenario for monitoring users’ actions and behaviors while using mHealth apps. : Our objective was to conduct an empirical study - engaging participants with attack simulation scenarios and analyze their actions - for investigating the security awareness of mHealth app users. : We simulated some common security attack scenarios in mHealth context and engaged a total of 105 app users to monitor their actions and analyze their behavior. We analyzed users' data with statistical analysis including correlations test, descriptive analysis, and qualitative data analysis (i.e., thematic analysis method). : Our results indicate that whilst the minority of our participants perceived access permissions positively, the majority had negative views. Users provide their consent, granting permissions, without a careful review of privacy policies that leads to undesired or malicious access to health data. Findings also indicated that 73.3% of our participants had denied at least one access permission, and 36% of our participants preferred no authentication method. : The study complements existing research on secure usage of mHealth apps, simulates security threats to monitor users’ actions, and provides empirically grounded guidelines for secure development and usage of mobile health systems.