Several popular mental health apps on Google Play have security weaknesses that could expose users’ deeply personal medical information, according to a new report from mobile security firm Oversecured.
Researchers examined ten Android apps that claim to help users manage depression, anxiety, panic attacks, stress, bipolar disorder, and other conditions. Some of these apps act as AI therapy chatbots or digital companions that promise private and secure conversations. Together, the apps have been downloaded more than 14.7 million times.
During scans conducted on January 22 and 23, researchers discovered 1,575 security vulnerabilities. Among them were 54 high-severity issues, 538 medium-severity issues, and 983 low-severity issues. While none were labeled critical, many of the flaws could still be dangerous. Attackers could potentially intercept login credentials, inject malicious code, fake notifications, or even track a user’s location.
In one app with more than 1 million downloads, researchers found over 85 medium- and high-severity vulnerabilities alone. At least six of the ten apps claim that user conversations remain private or are securely encrypted on their servers. However, the findings suggest that weaknesses in the apps could put that privacy at risk.
Sergey Toshin, founder of Oversecured, said mental health data is especially valuable to cybercriminals. Therapy records can reportedly sell for $1,000 or more per record on the dark web, far more than stolen credit card information.
One major issue involved apps that process user-supplied links without properly validating them. In one case, an app used the Android function Intent.parseUri() on an externally controlled string and launched it without checking where it led. This flaw could allow attackers to open internal parts of the app that are not meant for public access. Since those sections may handle authentication tokens and session data, attackers could gain access to therapy records.
Researchers also found that some apps store sensitive data locally in ways that make it readable by other apps on the same device. This could expose therapy notes, CBT session entries, mood logs, and mental health scores. In addition, plaintext configuration details, such as backend API endpoints and a hardcoded Firebase database URL, were discovered in some app files.
Some apps were found using the insecure java.util.Random class to generate session tokens or encryption keys, which weakens security protections. Most of the apps also lacked root detection. On a rooted device, any malicious app with elevated privileges could access locally stored health data.
Although six of the ten apps had no high-severity vulnerabilities, they still contained medium-severity issues that weaken overall security. These apps collect extremely sensitive information, including therapy transcripts, medication schedules, self-harm indicators, and other data that may fall under HIPAA protections.
Only four of the apps had been updated as recently as this month. Others had not received updates since late 2025 or even September 2024. The researchers said they cannot confirm whether the vulnerabilities have been fixed.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The names of the affected apps have not been made public because the security issues are still being responsibly disclosed to the developers.
