idw – Informationsdienst Wissenschaft
Nachrichten, Termine, Experten
Nachrichten, Termine, Experten
idw - Informationsdienst
Wissenschaft
Researchers at the University of Bremen have uncovered significant discrepancies between the data protection claims and the actual behavior of mobile health applications (mHealth apps). Many apps transmit personal data before users have even given their consent.
The paper, entitled “Transparency and Consent Challenges in mHealth Apps: An Interdisciplinary Study of Privacy Policies, Data Sharing, and Dark Patterns,” was published by Dr. Mehrdad Bahrini and five other researchers from the University of Bremen following the European Symposium on Research in Computer Security (ESORICS 2025) conference. This is one of the leading international conferences in the field of computer security, at which the team presented its findings. The research conducted by the Bremen-based scientists combines approaches from information security, human-computer interaction, and data protection law – a key focus of the University of Bremen's Digital Media Lab.
The team conducted a comprehensive analysis of twenty popular mHealth apps available in Germany. Such apps have become an integral part of many people's everyday lives. They help with fitness training, cycle monitoring, and taking medication – and in doing so, they process particularly sensitive health data. But how secure and transparent are these applications when it comes to handling this information?
To find out, the researchers used static and dynamic analysis methods to examine app behavior and data flows. They also examined the privacy policies and consent dialogs in detail. “We wanted to see not only whether data is shared, but also when and where it is sent – and whether users are even informed,” explains Dr. Mehrdad Bahrini. “Our goal was to combine the technical perspective with legal and user-centered aspects.”
Serious Problems: Data Transfer Without Consent, Manipulative Tricks, Linguistic Ambiguities
The study reveals several serious problems with regard to data protection and transparency. For example, several apps transmitted personal data such as advertising IDs even before users had given their consent. All twenty examined apps also sent data to third countries, particularly the US. Around 40 percent additionally communicated with servers in Ireland, which often serves as a European data hub. Connections to servers in Australia, Sweden, China, and Singapore were also detected – an indication of the global distribution of data flows in mHealth apps. In order to obtain users' consent to data transfer, all apps contained at least one manipulative design trick (“dark pattern”) that misled users into hastily accepting all terms and conditions.
There were also language and comprehensibility issues: In 10 out of 16 apps with a German interface, the privacy policies were available exclusively in English. And even with German privacy policies, some things remained unclear. For instance, many apps only named data recipients in general categories such as “partners” or “service providers” instead of listing specific companies
“Legal compliance alone is not enough if users cannot understand what is happening to their data.”
The study reveals a significant gap between the stated data protection practices and the actual conduct on the part of the apps. Even though many applications formally meet the requirements of the EU’s General Data Protection Regulation (GDPR), there is often a lack of genuine transparency and comprehensibility.
“Legal compliance alone is not enough if users cannot understand what is happening to their data,” emphasizes Bahrini. “Trust is crucial, especially when it comes to sensitive health data – this is as much a matter of ethics as it is of regulation.”
The results highlight the need for clearer guidelines for transparent data protection information and for design standards that prevent manipulative consent dialogues – especially in the field of digital health applications.
In future projects, the team plans to develop automated procedures for analyzing data flows and detecting dark patterns. The aim is to support developers and regulatory authorities in evaluating and improving digital health applications.
Dr. Mehrdad Bahrini
Faculty of Mathematics / Computer Science
University of Bremen
Email: mbahrini@uni-bremen.de
Phone: +49 421 218-64404
PD Dr. Karsten Sohr
Faculty of Mathematics / Computer Science
University of Bremen
Email: sohr@uni-bremen.de
Phone: +49 421 218-63922
https://doi.org/10.1007/978-3-032-07901-5_1
mHealth apps have become an integral part of many people's everyday lives. They help with fitness tr ...
Source: Patrick Pollmeier
Copyright: Universität Bremen / Patrick Pollmeier
Criteria of this press release:
Business and commerce, Journalists, Scientists and scholars, Students, Teachers and pupils, all interested persons
Information technology, Nutrition / healthcare / nursing
transregional, national
Research results
English
You can combine search terms with and, or and/or not, e.g. Philo not logy.
You can use brackets to separate combinations from each other, e.g. (Philo not logy) or (Psycho and logy).
Coherent groups of words will be located as complete phrases if you put them into quotation marks, e.g. “Federal Republic of Germany”.
You can also use the advanced search without entering search terms. It will then follow the criteria you have selected (e.g. country or subject area).
If you have not selected any criteria in a given category, the entire category will be searched (e.g. all subject areas or all countries).
