android mental health app security

Outsmart 5 Hidden Dangers in Mental Health Therapy Apps

— 6 min read
Android mental health apps with 14.7M installs filled with security flaws — Photo by MART PRODUCTION on Pexels
Photo by MART PRODUCTION on Pexels

Medical Disclaimer: This article is for informational purposes only and does not constitute medical advice. Always consult a qualified healthcare professional before making health decisions.

What the data says about Android mental health app security

In Australia, the most downloaded Android mental health therapy app - over 14.7 million installs - is riddled with more than 1,500 security flaws, meaning your personal notes and health data could be harvested without you knowing.

Recent security audits of ten popular mental-health apps on Google Play uncovered weak encryption, open redirects and unnecessary permissions that expose users to data theft (Recent: Android Mental Health Apps With 14 Million+ Installs Put Users' Sensitive Data at Risk). I’ve seen this play out when families bring home new apps for anxiety relief and suddenly find their kids’ chat logs appearing in adverts.

Key Takeaways

  • Most mental-health apps on Android lack proper encryption.
  • Over 1,500 flaws were found across ten top-downloaded apps.
  • Unnecessary permissions let apps read contacts and location.
  • Simple checks can dramatically reduce your risk.
  • Choose apps that publish independent security audits.

1. Insecure data storage - your journal isn’t private

Look, the biggest danger is that many apps write your therapy notes straight to the device’s internal storage without encryption. That means anyone with root access, a malicious app, or even a determined family member could open the file and read your deepest thoughts.

In my experience around the country, I’ve spoken to a Canberra-based counsellor who discovered a client’s session notes were stored as plain-text .txt files after the client switched phones. The counsellor had to delete the app immediately to protect the client’s confidentiality.

  1. Plain-text files: Apps often save mood logs, voice recordings or CBT worksheets in readable format.
  2. No encryption: Without AES-256 or similar, data is exposed to any app that can read the file system.
  3. Backup leaks: When Android backs up apps to the cloud, unsecured files travel with them.

To protect yourself, check the app’s privacy policy for terms like “data encrypted at rest”. If it’s silent, assume the worst.

2. Over-broad permissions - apps spying on more than your mood

Fair dinkum, an app that only needs to record your voice should not be asking for your contacts, camera or location. Yet the audit found an average of six extra permissions per app, including READ_CONTACTS and ACCESS_FINE_LOCATION.

When I reviewed a popular meditation app, it requested location so it could “serve you local content”. In practice, the app sent GPS coordinates to third-party ad networks, creating a privacy nightmare for users who simply wanted to breathe.

  • Contacts: Lets attackers harvest email addresses for phishing.
  • Location: Can reveal where you seek therapy, a sensitive detail.
  • Camera & mic: Unnecessary unless the app offers live video counselling.

Before you hit “Install”, tap “App permissions” in Settings and toggle off anything that isn’t essential for the app’s core function.

3. Improper handling of external links - a gateway for malware

Here’s the thing: many mental-health apps embed links to articles, podcasts or external resources. If those links are not properly sanitised, a malicious actor can inject a URL that redirects to a phishing site or installs malware.

During the audit, researchers flagged an app that accepted any URL string and launched it in a WebView without validation. One test case opened a fake login page for a well-known bank, capturing credentials entered by an unsuspecting user.

  1. Open redirects: Allow attackers to disguise malicious sites as trusted content.
  2. JavaScript injection: Can hijack the app’s interface and display fake surveys.
  3. Untrusted downloads: Some apps auto-download PDFs from external servers, exposing the device to hidden payloads.

When you click a link inside a therapy app, look for the browser’s address bar and verify the URL. If the app forces you into a full-screen view with no visible URL, consider it a red flag.

4. Lack of end-to-end encryption for communication

In my experience, the promise of “secure chat with a therapist” often falls flat. Only a handful of Australian-based platforms use true end-to-end encryption (E2EE). Most rely on TLS for transport, which protects data in transit but leaves it readable on the server.

According to a 2023 review in The Conversation, AI-driven chatbots can store conversation logs for training purposes, and those logs are rarely anonymised. That means your personal mental-health disclosures could be used to improve a commercial AI model without your consent.

  • TLS only: Data is encrypted while moving, but server-side storage may be plain-text.
  • No E2EE: The provider can read, copy or sell your messages.
  • Third-party analytics: Some apps embed Google Analytics that capture screen content.

If privacy is a priority, choose apps that explicitly state “E2EE” and provide a public security audit. Otherwise, treat any in-app chat as if it were an email - not truly private.

5. Poor update practices - bugs linger, hackers profit

Android’s fragmented ecosystem means many users stay on older OS versions, and developers often skip timely patches. The audit showed that 70% of the examined apps had not released a security-focused update in the past twelve months.

When a vulnerable library is discovered - for example, an outdated version of OpenSSL - the app remains exposed until the developer pushes a fix. In the meantime, attackers can exploit the flaw at scale.

  1. Outdated libraries: Known CVEs become open doors.
  2. Delayed patches: Users who don’t enable auto-update miss critical fixes.
  3. Legacy code: Old codebases often lack modern security controls.

My advice: enable auto-updates for all apps, and periodically check the Play Store “What’s new” section for security notes. If the developer’s changelog is silent on security, look for a third-party review before continuing to use the app.

Practical checklist - five simple steps to keep your family safe

Now that we’ve uncovered the hidden dangers, here’s a plain-spoken checklist you can run on any Android mental-health app before you let it into your home.

  1. Read the privacy policy: Look for clear statements about encryption at rest and in transit. If the policy is vague, move on.
  2. Audit permissions: In Settings > Apps > [App] > Permissions, turn off anything unrelated to core therapy functions.
  3. Check for independent audits: Reputable apps will link to a third-party security report or a “security badge” from a recognized firm.
  4. Verify updates: Open the Play Store page and ensure the app has been updated within the last six months, preferably with security notes.
  5. Test external links: Tap a link inside the app; if it opens a full-screen view without a visible URL, exit and report the behaviour.

Following these steps dramatically lowers the risk of data exposure, and it only takes a minute or two each time you install a new app.

FeatureSecure?Typical Issue
Data at rest encryptionOften missingPlain-text storage of journals
End-to-end chat encryptionRareServer-side logging of conversations
Permission scopeExcessiveRequests contacts, location, camera
External link handlingWeakOpen redirects to malicious sites
Update frequencyInconsistentNo security patches in 12+ months

How to choose a safe mental-health app for your family

When I was covering digital health for the ABC, I asked three clinicians what they look for in a therapy app. Their consensus was simple: evidence-based content, transparent data practices and a track record of security audits.

Here’s how to translate that into a quick decision tree:

  1. Evidence base: Does the app reference clinical trials or accredited guidelines?
  2. Data transparency: Is there a clear list of what data is collected and why?
  3. Security badge: Look for certifications like ISO 27001 or a link to a published penetration test.
  4. Community feedback: Check recent reviews for mentions of privacy concerns.
  5. Trial period: Many apps offer a free week - use it to test permissions and see how data is stored.

By applying this framework, you’ll avoid the pitfalls that have plagued the 14.7 million-install crowd and protect your loved ones’ mental-health journeys.

FAQ

Q: Are all Android mental-health apps unsafe?

A: No. Some apps follow strict security standards, use end-to-end encryption and publish independent audits. The risk comes from the majority that don’t, which is why checking permissions and privacy policies is essential.

Q: How can I tell if an app stores my data securely?

A: Look for statements about “AES-256 encryption at rest” in the privacy policy, and verify that the app’s Play Store page mentions a recent security audit. If the policy is vague, assume the data is not encrypted.

Q: What should I do if I suspect an app is leaking my data?

A: Uninstall the app immediately, change passwords for any linked accounts, and report the issue to the Australian Information Commissioner’s Office (OAIC). You can also request the app developer to delete any stored data under the Privacy Act.

Q: Are free mental-health apps worth the risk?

A: Free apps often monetise through data collection or ads, increasing privacy risk. If you need a no-cost solution, choose one that is open-source or funded by a reputable health service that does not sell data.

Q: How often should I review app permissions?

A: Review permissions after each OS update and whenever an app adds new features. A quick monthly check in Settings ensures no unnecessary access has been granted silently.

Read more