Mental Health Apps With Millions Of Downloads Pose Major Security Risks As Security Researchers Uncover 1,500 Vulnerabilities

Hyderabad: Ten mental health apps available on Google Play, collectively downloaded more than 14.7 million times, have been found to contain serious security vulnerabilities that could expose users' most sensitive personal data. According to a report published by mobile security firm Oversecured, researchers uncovered a total of 1,575 security flaws across these ten apps, including 54 high-severity and 538 medium-severity vulnerabilities.

The affected apps are designed to assist users dealing with clinical depression, anxiety, panic attacks, stress, and bipolar disorder. At least six of the ten apps had explicitly claimed that user conversations were private or securely encrypted.

The report highlights the severity of the risk, looking at the value of the data involved. Sergey Toshin, founder of Oversecured, said, "Mental health data carries unique risks. On the dark web, therapy records sell for $1,000 or more per record — far more than credit card numbers."

Among the most concerning findings, one app with over one million downloads was found to process external links without adequate validation, potentially allowing an attacker to gain unauthorised access to a user's therapy records, authentication tokens, and session data. The report also highlighted a vulnerability that allowed locally stored data, including Cognitive Behavioural Therapy (CBT) session notes, mood logs, and therapy entries, to be accessed by any other app on the same device.

Oversecured’s researchers also found that several apps stored plaintext configuration data, including backend Application Programming Interface (API) endpoints and hardcoded database URLs, directly within the app's code.

Several apps were additionally found to use an outdated and cryptographically weak method for generating session tokens and encryption keys, leaving user accounts further exposed.

Among the report’s more alarming findings is that most of the ten apps lack any form of root detection. This means that on a rooted device, any app with elevated or special privileges can access all locally stored health data, including medication reminders or mental health. This is particularly concerning as some of this data is protected under HIPAA regulations in the US.

Oversecured’s report states that it conducted scans on 22nd and 23rd January, targeting the latest available versions of each app at the time. Of the ten apps reviewed, only four had received updates, while others had not been updated since as far back as September 2024. The researchers have not been able to confirm whether any of the vulnerabilities have since been patched.

The report has not yet disclosed the names of the affected apps, as Oversecured's vulnerability disclosure process is still ongoing.