Android mental health apps found with security flaws

An audit of popular Android mental health apps has revealed more than 1,500 security vulnerabilities, including 54 high‑severity flaws.

What happened

According to Bleeping Computer, a new security audit has revealed that several mental health apps on the Android Google Play Store, collectively installed more than 14.7 million times, contain security vulnerabilities that could expose sensitive personal information. Cybersecurity firm Oversecured scanned ten Android apps, including mood trackers, AI therapy chatbots, and other mental health tools, and found 1 ,575 security flaws in total, including 54 high‑severity issues, in the versions available in late January 2026.

According to a report shared with Bleeping Computer, flaws range from insecure handling of app links and weak cryptography to improper local data storage that could be read by any app on a user’s device. Some apps also lack basic protections such as root‑detection, which can make them more vulnerable on jailbroken phones

Going deeper

None of the vulnerabilities are classified as “critical;” however, many could be exploited by an attacker to intercept login credentials, spoof notifications, inject malicious HTML, or gain access to internal app activities intended to be private. In one case, a therapy app with over 1 million installs was found using unsafe URI parsing, allowing attackers to force the program to open internal functions, potentially exposing session tokens or therapy records.

Several of the affected apps have not been updated in months or even years, which raises concerns about whether developers are actively maintaining security. Researchers have not yet confirmed whether fixes for the vulnerabilities have been released.

What was said

“Mental health data carries unique risks. On the dark web, therapy records sell for $1,000 or more per record, far more than credit card numbers,” said Sergey Toshin, founder of mobile security company Oversecured to Bleeping Computer. The researchers also noted that the apps “collect and store some of the most sensitive personal data in mobile: therapy session transcripts, mood logs, medication schedules, self-harm indicators, and in some cases, information protected under HIPAA.” They further explained that some apps “parse user-supplied URIs without adequate validation,” and that exploitation of these flaws could give an attacker access to a user’s therapy records.

In the know

Unlike generic fitness data, therapy notes, and mental health logs, which can reveal deeply private aspects of an individual’s life, these records can be more valuable to attackers than credit card numbers. Paubox recommends using its HIPAA compliant email solution to securely share mental health updates, therapy reminders, and remote monitoring check-ins with patients. Delivering sensitive information directly to a protected inbox rather than relying on potentially vulnerable apps, healthcare providers can reduce the risk of data exposure while maintaining continuity of care.

Why it matters

With millions of downloads on Android, these vulnerabilities could affect a large global user base, highlighting broader concerns about how digital health tools handle privacy and security.

FAQS

Are mental health apps safe to use?

While many apps are legitimate, they may contain security flaws that could expose sensitive personal data. Users should check app updates, developer reputation, and permissions before use.

Why is mental health data more valuable to attackers than credit card information?

Therapy notes, mood logs, and medication schedules contain deeply personal information. On the dark web, such data can be sold for high prices because it can be used for blackmail, identity theft, or targeted social engineering attacks.

Can HIPAA compliant email replace mental health apps for remote monitoring?

For many routine updates, check-ins, and therapy reminders, HIPAA compliant email can be a safer alternative to apps, especially when app security is uncertain. It ensures sensitive data remains protected and accessible only to authorized recipients.