Mental health apps are increasingly handling data that looks a lot like medical records mood logs, CBT notes, medication schedules, and in some cases indicators of self-harm. And new research by mobile security firm Oversecured and reported by BleepingComputer suggests parts of this ecosystem still aren’t treating that information with the level of security it deserves.
Oversecured analyzed ten Android mental health apps on Google Play covering everything from mood tracking to AI therapy chatbot, and reported 1,575 total security issues across the set (54 high, 538 medium, 983 low).
While the report says none of the findings were deemed critical, many were the kind of weaknesses attackers routinely chain together: issues that can help intercept credentials, spoof notifications, inject HTML, or assist with tracking a user’s location.
Oversecured highlighted common patterns that can lead directly to data exposure. One example involved an app launching intents built from externally controlled strings without validating the destination component—an abuse case that could allow opening internal activities never meant to be reachable from outside the app, potentially including flows that touch authentication tokens or session data.
Other themes included insecure local storage (data readable by other apps on the device), plaintext configuration artifacts inside APK resources (including backend endpoints), and weak randomness (e.g., java.util.Random) used in security-sensitive contexts like session tokens or keys.
The sensitive nature of therapy-related information can change the risk equation. Even if a flaw “only” exposes chat transcripts or mood entries, that data can still be used for targeting such as blackmail, phishing or identity fraud. It was also noted that therapy records can fetch high prices in underground markets.
The analysis also flags a maintenance concern across the scanned apps, with only four having recent updates. Others hadn’t been updated since late 2025, some even since 2024.
Application names were not published while disclosure is ongoing, and the researchers said they could not confirm whether vendors have already fixed any of the findings.
To stay safe, users should treat mental health apps like financial apps. Ensure you enable device-level security (PIN/biometrics) within your device settings, and avoid using them on altered or rooted devices. Prefer apps with frequent updates, and minimize what you store. If an app lets you delete old or unneeded history or keep notes locally/offline, consider it.
For apps handling sensitive data, baseline security should include secure storage, safe intent handling, modern cryptography practices, root/jailbreak risk modeling, and regular secure SDLC scanning and remediation.
Leave a Reply