A security framework for mHealth apps on Android platform

Mobile Health (mHealth) applications are readily accessible to the average users of mobile devices, and despite the potential of mHealth applications to improve the availability, affordability and effectiveness of delivering healthcare services, they handle sensitive medical data, and as such, have also the potential to carry substantial risks to the security and privacy of their users. Developers of applications are usually unknown, and users are unaware of how their data are being managed and used. This is combined with the emergence of new threats due to the deficiency in mobile applications development or the design ambiguities of the current mobile operating systems. A number of mobile operating systems are available in the market, but the Android platform has gained the topmost popularity. However, Android security model is short of completely ensuring the privacy and security of users' data, including the data of mHealth applications. Despite the security mechanisms provided by Android such as permissions and sandboxing, mHealth applications are still plagued by serious privacy and security issues. These security issues need to be addressed in order to improve the acceptance of mHealth applications among users and the efficacy of mHealth applications in the healthcare systems. The focus of this research is on the security of mHealth applications, and the main objective is to propose a coherent, practical and efficient framework to improve the security of medical data associated with Android mHealth applications, as well as to protect the privacy of their users. The proposed framework provides its intended protection mainly through a set of security checks and policies that ensure protection against traditional as well as recently published threats to mHealth applications. The design of the framework comprises two layers: a Security Module Layer (SML) that implements the security-check modules, and a System Interface Layer (SIL) that interfaces SML to the Android OS. SML enforces security and privacy policies at different levels of Android platform through SIL. The proposed framework is validated via a prototypic implementation on actual Android devices to show its practicality and evaluate its performance. The framework is evaluated in terms of effectiveness and efficiency. Effectiveness is evaluated by demonstrating the performance of the framework against a selected set of attacks, while efficiency is evaluated by comparing the performance overhead in terms of energy consumption, memory and CPU utilization, with the performance of a mainline, stock version of Android. Results of the experimental evaluations showed that the proposed framework can successfully protect mHealth applications against a wide range of attacks with negligible overhead, so it is both effective and practical. (C) 2018 Elsevier Ltd. All rights reserved.