Smartphone technology has drastically improved over the past decade. These
improvements have seen the creation of specialized health applications, which
offer consumers a range of health-related activities such as tracking and
checking symptoms of health conditions or diseases through their smartphones.
We term these applications as Symptom Checking apps or simply SymptomCheckers.
Due to the sensitive nature of the private data they collect, store and manage,
leakage of user information could result in significant consequences. In this
paper, we use a combination of techniques from both static and dynamic analysis
to detect, trace and categorize security and privacy issues in 36 popular
SymptomCheckers on Google Play. Our analyses reveal that SymptomCheckers
request a significantly higher number of sensitive permissions and embed a
higher number of third-party tracking libraries for targeted advertisements and
analytics exploiting the privileged access of the SymptomCheckers in which they
exist, as a mean of collecting and sharing critically sensitive data about the
user and their device. We find that these are sharing the data that they
collect through unencrypted plain text to the third-party advertisers and, in
some cases, to malicious domains. The results reveal that the exploitation of
SymptomCheckers is present in popular apps, still readily available on Google

