As a result of theand efforts to reduce transmission in the U.S., telehealth services and apps offering treatment have surged in popularity. A new investigation has found that several widely used opioid treatment recovery apps access and share sensitive user data with third parties. as addiction treatment facilities face budget cuts and closures, which has seen both investor and government interest turn to telehealth as a tool to combat the growing addiction crisis.
While people accessing these services may have a reasonable expectation of, a new report from ExpressVPN’s Digital Security Lab, compiled in conjunction with the Opioid Policy Institute and the Defensive Lab Agency, found that some of these apps collect and share sensitive information with third parties, raising questions about their privacy and security practices.
The report studied ten opioid treatmentBicycle Health, Boulder Care, and Confidant Health. DynamiCare Health, Kaden Health, Loosid, Pear Reset-O, PursueCare, Sober Grid, and Workit Health. These apps have been installed at least 180,000 times and have received more than $300 groups and the federal government. Despite these services’ vast reach and sensitive nature, the research found that most apps accessed unique identifiers about the user’s device and, in some cases, with third parties.
Seven of the ten apps studied access the Android Advertising ID (AAID), a user-generated identifier linked to other information to provide insights into identifiable individuals. Five of the apps also access the devices’ phone number; three access the device’s unique IMEI and IMSI numbers, which can also be used to identify a person’s device uniquely; and two access a users’ list of, which the researchers say can be used to build a “fingerprint” of a user to track their activities.
Many of the apps examined also obtain location information in some form, which, when correlated with these unique identifiers, strengthens the capability for surveilling an individual and their daily habits, behaviors, and who they interact with. One of the apps’ methods is through Bluetooth; seven of the apps request permission to make Bluetooth connections, which theis particularly worrying because this can be used to track users in real-world locations.
“Bluetooth can do what I call proximity tracking, so if you’re in the, it knows how long you’re in a certain aisle or how close you are to someone else,” Sean O’Brien, principal researcher at ExpressVPN’s Digital Security Lab who led the investigation, told TechCrunch. “Bluetooth is an area that I’m pretty concerned about.” Another central area of concern is the use of tracker SDKs in these apps, which O’Brien previously warned about in a recent investigation that revealed that hundreds of were sending granular user location data to X-Mode, a data broker known to sell location data to U.S. military contractors, and now banned from both Apple and .
SDKs, or software development kits, are bundles of code app’s developers and third parties.to make them work properly, such as collecting location data. Often, SDKs are provided for free in exchange for sending back the app’s cache data. While the out that it does not categorize all usage of trackers as malicious, exceptionally as many developers may not even be aware of their existence within their apps, they discovered a high prevalence of tracker SDKs in seven out of the ten apps that revealed potential data-sharing activity. Some SDKs are explicitly designed to collect and aggregate user data, even where the SDK’s core functionality is concerned. However, the researchers explain that an app that provides navigation to a recovery center may also be tracking a user’s movements throughout the day and sending that data back to the