On the Security and Privacy of AI-based Mobile Health Chatbots

TL;DR

This paper empirically evaluates 16 AI-based mobile health chatbots for security and privacy vulnerabilities, revealing significant issues and providing recommendations to improve their safety and user data protection.

Contribution

It offers a comprehensive assessment of security and privacy flaws in mHealth chatbots, highlighting design weaknesses and proposing actionable improvements.

Findings

Identified security vulnerabilities like WebView debugging

Detected privacy issues and policy non-compliance

Provided recommendations for enhancing security and privacy

Abstract

The rise of Artificial Intelligence (AI) has impacted the development of mobile health (mHealth) apps, most notably with the advent of AI-based chatbots used as ubiquitous ``companions'' for various services, from fitness to mental health assistants. While these mHealth chatbots offer clear benefits, such as personalized health information and predictive diagnoses, they also raise significant concerns regarding security and privacy. This study empirically assesses 16 AI-based mHealth chatbots identified from the Google Play Store. The empirical assessment follows a three-phase approach (manual inspection, static code analysis, and dynamic analysis) to evaluate technical robustness and how design and implementation choices impact end users. Our findings revealed security vulnerabilities (e.g., enabling Remote WebView debugging), privacy issues, and non-compliance with Google Play policies (e.g., failure to provide publicly accessible privacy policies). Based on our findings, we offer several recommendations to enhance the security and privacy of mHealth chatbots. These recommendations focus on improving data handling processes, disclosure, and user security. Therefore, this work also seeks to support mHealth developers and security/privacy engineers in designing more transparent, privacy-friendly, and secure mHealth chatbots.