Recent findings have raised concerns about the security of several mental health mobile applications, which collectively boast millions of downloads on Google Play. Security researchers have identified vulnerabilities that could potentially expose users’ sensitive medical information, prompting a closer examination of these widely-used tools.
Over 1,500 Security Issues Found
In a comprehensive analysis conducted by Oversecured, a mobile security company, ten mental health applications were scrutinized, revealing a staggering total of 1,575 security vulnerabilities. This included 54 high-severity, 538 medium-severity, and 983 low-severity issues. The applications in question range from mood and habit trackers to AI-driven therapy chatbots, designed to assist individuals grappling with conditions such as clinical depression, anxiety, and bipolar disorder.
| App Type | Installs | High | Medium | Low | Total | Scan date | |
| 01 | Mood & habit tracker | 10M+ | 1 | 147 | 189 | 337 | 01/23/2026 |
| 02 | AI therapy chatbot | 1M+ | 23 | 63 | 169 | 255 | 01/22/2026 |
| 03 | AI emotional health platform | 1M+ | 13 | 124 | 78 | 215 | 01/23/2026 |
| 04 | Health & symptom tracker | 500k+ | 7 | 31 | 173 | 211 | 01/22/2026 |
| 05 | Depression management tool | 100k+ | – | 66 | 91 | 157 | 01/23/2026 |
| 06 | CBT-based anxiety app | 500k+ | 3 | 45 | 62 | 110 | 01/22/2026 |
| 07 | Online therapy & support community | 1M+ | 7 | 20 | 71 | 98 | 01/23/2026 |
| 08 | Anxiety & phobia self-help | 50k+ | – | 15 | 54 | 69 | 01/22/2026 |
| 09 | Military stress management | 50k+ | – | 12 | 50 | 62 | 01/22/2026 |
| 10 | AI CBT chatbot | 500k+ | – | 15 | 46 | 61 | 01/23/2026 |
While none of the identified vulnerabilities are classified as critical, many present opportunities for exploitation, such as intercepting login credentials or accessing sensitive user data. The researchers utilized the Oversecured scanner to analyze the APK files of these applications, identifying patterns of known vulnerabilities across various categories.
One notable finding involved a therapy app with over one million downloads, which improperly handled user-supplied URIs. This oversight could allow an attacker to manipulate the app into accessing internal activities that should remain secure, potentially exposing sensitive therapy records.
Additionally, the research highlighted issues related to local data storage practices, which could inadvertently grant access to therapy details, including session notes and personal logs. The presence of plaintext configuration data within the APK resources further compounds these security concerns.
Moreover, some applications employed cryptographically weak methods for generating session tokens, leaving them vulnerable to unauthorized access. The lack of root detection in most of the analyzed apps raises further alarm, as rooted devices can expose all health data stored locally to any app with root privileges.
Despite six of the ten apps having no high-severity vulnerabilities, the medium-severity issues identified still pose significant risks to user privacy. The collected data from these applications encompasses some of the most sensitive personal information, including therapy session transcripts and medication schedules, often protected under HIPAA regulations.
With a collective download count exceeding 14.7 million, the urgency for robust security measures is clear. Only four of the analyzed apps have received updates as recently as this month, while others have not been updated since late 2025 or even earlier. The scans conducted by Oversecured took place between January 22 and 23, targeting the latest versions available at that time, but it remains uncertain whether the vulnerabilities have since been addressed.
As the landscape of mental health apps continues to evolve, the need for enhanced security protocols becomes increasingly paramount to protect users’ sensitive information from potential breaches.
