Why Mental Health Apps May Not Be As Secure As You Think

The popularity of mental health apps skyrocketed as the stress from a prolonged global pandemic piled on, but these apps are apparently a privacy nightmare, too. As per research by Mozilla, "mental health and prayer apps are worse than any other product" when it comes to user privacy and security. In an analysis of 32 apps that offer mental health relief and prayer services, 29 were found to fail at serious privacy parameters and were awarded a Privacy Not Included label in Mozilla's app analysis guide.

It also came as a surprise that 25 of those apps lacked basic security protocols such as nudging users to set a strong password, sending timely security updates, and handling digital data vulnerabilities. Jen Caltrider from Mozilla warned how these "exceptionally creepy" apps are harvesting some of the most intimate data and personal moments of users such as mental state and biometrics. This kind of information is a goldmine of ad targeting and can be used for even more sinister activities by bad actors.

Mozilla researcher Misha Rykov likened these apps to "data-sucking machines with a mental health app veneer," which says a lot about how bad the situation is. Among the 32 apps tested as part of the research, the six worst offenders — Better Help, Youper, Woebot, Better Stop Suicide, Pray.com, and Talkspace — were found engaged in activities like saving chat transcripts and sharing personal user data with third parties.

Mental health apps aren't good for mental health

Aside from directly harvesting a worryingly high amount of user data, some of these apps also collected data from third parties like Facebook. Data brokers are also taking advantage of the lax security situation, and so are insurance companies. But data privacy is not the only concern here. Mozilla's research team discovered that some of these mental health apps allowed weak passwords as simple as "1" and "11111111."

Moodfit, an app that collects data about users' moods and any symptoms related to mental health issues, allowed users to set single-digit or single-letter passwords. There was also little information on how some of the analyzed apps handled vulnerabilities, whether their security updates were delivered in a timely manner — or if they planned on issuing security updates at all. Another concern is transparency, or the lack of it, as a majority of app developers didn't respond to requests about security or privacy when Mozilla's team attempted to make contact over the course of their research.

Further complicating the situation are the privacy policies of these apps, which are classified as "incredibly vague and messy." It's fairly standard practice for shady apps to use privacy policies that are essentially tall walls of text masquerading as barely comprehensible privacy disclosures in a bid to dissuade users from reading them, let alone discover phrasing that would raise red flags. The entire list of problematic mental health apps assessed by Mozilla can be found here, alongside full details of their data harvesting and handling procedures.