PEPR '25: 2025 USENIX Conference on Privacy Engineering Practice and Respect

Primal Wijesekera, ICSI and UC Berkeley; Mohsin Khan


The regulatory landscape surrounding sharing personal health information is complex and constantly evolving. Given that a host of regulations could be relevant to mobile health applications, it is not surprising that many developers and organizations are confused about or unaware of the applicability of such regulations and how to comply. This misunderstanding may cost consumers privacy protection for highly sensitive health data. We examined the data handling practices of 408 Android telehealth apps from 36 countries. We found that a significant portion deployed event reporting, which exposes highly sensitive health data to domains not equipped to handle health data. Such practices demonstrate a clear gap between the operational, technical, and regulatory realms. In our pool of US-based telehealth apps, 48.09% potentially violate at least one applicable regulation. We also uncover three main patterns of violations among the U.S.-based apps, including the potential culpability of the Android Platform.

Liam Webster have contributed significantly in the course of the analysis to analyze apps and understand the legal context of this telehealth apps. This work was supported by the U.S. National Science Foundation NSF (under grant CNS-2055772 & ​CNS-2217771 ).​


https://www.usenix.org/conference/pepr25/presentation/wijesekera