The penetration of smartphone usage and the plethora of Android mobile apps across myriad categories has unveiled
a new set of challenges for vulnerable users such as the elderly. The elderly are trustful and compassionate, with
immense risk of having their security breached. Elderly people under mental or physical distress are also vulnerable
as they may be enticed to seek help from deceptive online predators. Elderly users driven by fear or hope may unwittingly
disclose personal information while using risky “self-help” or health apps. While the privacy and security issues in
mobile apps for the general population have been widely researched, the elderly user group needs to be aware of the
risks it may face. Our proposed study aims to investigate and shed light on the privacy and security issues in mobile
apps intended for use by the elderly, using a combination of dynamic and static analysis for 106 Android apps from the
Google Play Store. Our analysis unearths prevalent security and privacy issues that can lead to leakage of private
information and/or allow adversaries access to user data.
RESULTS SUMMARY
See below for our summary findings. We list the apps that we analyzed. In the summary tables, each
app is given zero to three stars, for our selected security and privacy criteria. Clicking the summary tables
will enlarge them. Clicking each app icon will provide details on the app.
What can be done to protect the privacy of elderly users while using elderly apps?
Elderly users should be careful not to disclose too much personal information to the app that could be
used to identify them, and consider using commonly used names for profiles that may be created while
registering for the apps (e.g., use John/Jane Doe as name).
How can I know which information is being collected by the app?
The easiest way to get an idea about which information a mobile app accesses is through the permissions it
requests. If an app asks for an unreasonable number of sensitive permissions, such as camera and location
access, try to disable these permissions. If the app cannot operate without them, consider switching to a
different app if you are not comfortable sharing that information. You may refer to our Results Summary to
check if the app you use has been analyzed by us.
Where can I find information about a particular app’s security?
We have analyzed a range of the most popular elderly apps for bad security practices and threats. Scorecards
rating the privacy and security of each app can be found in the results summary. If these scorecards show
particularly bad scores in multiple categories, you may want to switch to a safer app.
For Developers
How can we develop a secure app?
Mobile app companies should adopt publicly available guidelines and best practices, including proper API
authentication and web security standards. They should also adopt a strong password policy in their apps,
because the use of default, weak and stolen credentials has been exploited in many known
data breaches.
Developers should rigorously test the apps in actual usage simulations with the latest security tools to
eliminate bugs and security flaws.
How can we find and address vulnerabilities?
Companies should conduct regular security audits of apps developed by them. They should have a process to
address vulnerabilities such as responsible disclosure or bug bounty programs. The security and privacy
evaluation methodology that we developed can also be considered.
What do we do in case of suspicious activity?
Developers should design a way for apps to report / flag suspicious activities on the account such as password
changes and accesses from unrecognized devices. These activities could indicate account compromise.
What is the best practice in personal data collection?
Elderly apps should limit the collection, storage, and transmission of the user data to what is strictly necessary.
For instance, the app should not store PII which is not required for the app’s functionality.
The apps should also allow the user to selectively opt-out of the data collection in certain features.
How do we transmit sensitive data (e.g., user location)?
Transmission of sensitive data or personally identifiable information should happen exclusively over secure
communication channels (TLS 1.2/1.3). The solution should utilize MITM mitigation techniques such as host
white-listing, certificate pinning, and HSTS.
To what extent can we incorporate trackers into our apps?
Apps should limit the usage of trackers and tracking SDKs in apps intended for elderly users. Some SDKs also have
limited modes of operation where they do not collect as much data. These limited features should be used where possible.
The best practice should be the complete avoidance of using any tracking services.
