1,575 Vulnerabilities Found in Mental Health Apps With 14.7 Million Installs — Therapy Notes Included
What Happened
On February 23, 2026, security firm Oversecured published research revealing that 10 popular mental health apps on Google Play — with a combined 14.7 million installs — contain a total of 1,575 security vulnerabilities, including 54 rated high-severity.
One app alone had more than 85 medium- and high-severity vulnerabilities that could be exploited to compromise users' therapy data.
These aren't generic data collection apps. They store some of the most sensitive personal information in mobile: therapy session transcripts, mood logs, medication schedules, self-harm indicators, and in some cases, data protected under HIPAA.
BleepingComputer has withheld the names of the affected apps because Oversecured is still in the process of responsible disclosure. But the scale — 14.7 million installs across 10 apps — means the odds are high that you or someone you know has used one of them.
What Was Found
The Vulnerability Breakdown
Oversecured's scan uncovered issues across multiple vulnerability classes:
| Category | What It Means |
|---|---|
| Unsafe Intent.parseUri usage | Allows attackers to craft malicious links that execute actions within the app |
| Readable local storage | Sensitive data stored in files that any app on the device can read |
| Plaintext API/configuration data | API keys and configuration stored without encryption |
| Insecure token generation | Using java.util.Random (cryptographically insecure) for session tokens and encryption keys |
| No root detection | On rooted devices, any app with root privileges can access all health data stored locally |
The Token Generation Problem
Several of the apps use java.util.Random to generate session tokens or encryption keys. This is a well-documented security mistake — java.util.Random is not cryptographically secure. Its output is predictable given enough samples, which means an attacker who can observe a few tokens can predict future ones.
For a social media app, this might be a moderate risk. For an app that stores therapy session transcripts, it's negligent.
The correct approach is java.security.SecureRandom, which uses a cryptographically strong random number generator. This is basic security — it's taught in introductory mobile security courses, documented in OWASP's mobile top 10, and flagged by every major static analysis tool.
The Update Problem
Of the 10 apps scanned, only four had been updated this month. Others hadn't received updates since late 2025, and at least one hadn't been updated since September 2024. Unmaintained apps with known vulnerabilities and millions of active installs are a ticking clock.
Why This Matters
Health Data Is the Most Valuable Data on the Dark Web
Therapy records sell for $1,000+ per record on dark web marketplaces — far more than credit card numbers ($5-20), email credentials ($10-50), or even Social Security numbers ($30-100).
The reason is simple: therapy records contain intimate personal details that can be used for targeted blackmail, social engineering, insurance fraud, and identity theft. A stolen credit card can be cancelled. A leaked therapy transcript cannot be unread.
HIPAA Compliance Is Not Just a Checkbox
If these apps handle data from U.S. users and meet the definition of a Business Associate under HIPAA, they're legally required to implement reasonable security safeguards. Using java.util.Random for encryption keys and storing data in plaintext local storage is not a reasonable safeguard by any standard.
The potential HIPAA violations here are significant:
- Failure to encrypt ePHI (electronic Protected Health Information) at rest
- Failure to implement access controls on locally stored data
- Failure to conduct regular security assessments — some of these vulnerabilities would be caught by basic automated scanning
HIPAA penalties range from $100 to $50,000 per violation, with annual maximums up to $2.06 million per violation category. For apps with millions of installs, the exposure is substantial.
Google Play's Review Process Has Limits
These apps passed Google Play's review and have been available for download for years. This isn't a criticism of Google's review process — automated scanning can't catch every vulnerability — but it's a reminder that presence on an official app store is not a security endorsement.
Google Play Protect scans for known malware, not for insecure coding practices. An app can be completely malware-free while still storing your therapy notes in plaintext.
What Developers Should Take Away
If You Build Health Apps
- Use
SecureRandom, notRandom— For any security-sensitive operation (tokens, keys, nonces), always use cryptographically secure random number generators - Encrypt local storage — Android provides
EncryptedSharedPreferencesandEncryptedFilethrough the Jetpack Security library. Use them - Implement root detection — Libraries like RootBeer or SafetyNet Attestation can detect compromised devices and restrict access to sensitive data
- Don't store API keys in plaintext — Use Android Keystore for cryptographic key management. Never hardcode API keys in your APK
- Run automated security scans — Tools like MobSF, QARK, or commercial solutions like Oversecured can catch these issues before your users find them
If You Build Any App That Handles Sensitive Data
The mental health app category is getting scrutiny because of the sensitivity of the data. But the same vulnerability patterns — insecure storage, weak token generation, plaintext configuration — exist across every category of app that handles personal data.
Run this mental checklist on your own app:
- Where is user data stored locally? Is it encrypted?
- How are session tokens generated? Are you using
SecureRandom? - What happens on a rooted device? Can other apps access your data?
- When was your last security audit? Not a pentest — just a basic automated scan?
If you can't answer these questions confidently, you have work to do.
If You Use Mental Health Apps
Until the affected apps are named and patched:
- Update all your apps — If a patch exists, make sure you have it
- Check app permissions — Does your therapy app need access to your contacts, location, or files? If so, ask why
- Prefer apps from established healthcare providers — Apps backed by hospital systems or licensed telehealth platforms are more likely (though not guaranteed) to meet security standards
- Consider what you share — If the app has a journaling feature, be aware that anything you type could potentially be accessed if the app's security is compromised
The Bottom Line
1,575 vulnerabilities across 10 apps with 14.7 million installs. Therapy transcripts stored in readable local files. Session tokens generated with predictable random number generators. Apps not updated in over a year.
This is what happens when the mobile health boom outpaces security investment. The demand for mental health apps surged during and after the pandemic, and the market rewarded speed to market over security fundamentals. The result is millions of people trusting their most sensitive personal data to apps that can't protect it.
For developers, this is a case study in what not to do — and a reminder that basic security practices aren't optional when you're handling data that can destroy lives if exposed.
Sources
- Android mental health apps with 14.7M installs filled with security flaws — BleepingComputer
- Security Researchers Find Vulnerabilities in Mental Health Apps — Oversecured Blog
- Mental health apps vulnerable, exposing sensitive user data — SC Media
- Multiple mental health apps riddled with high severity security flaws — TechRadar
- Your Mental Health App Could Be Leaking Therapy Records — Android Headlines