Bremen/Toulouse, October 22, 2025 – Researchers at the University of Bremen have, in a comprehensive study, identified significant discrepancies between the data protection promises and the actual behavior of mobile health applications. Many of these apps transmit personal data even before users have given their consent. The study, which was presented at the renowned international conference on computer security ESORICS 2025 in Toulouse, underscores the need for stricter regulations and more transparent designs in this sensitive area.
The work, titled “Transparency and Consent Challenges in mHealth Apps: An Interdisciplinary Study of Privacy Policies, Data Sharing, and Dark Patterns,” was published by Dr. Mehrdad Bahrini and five other scientists from the Digital Media Lab at the University of Bremen. It combines methods from information security, human-computer interaction, and data protection law to analyze the practices of 20 popular mHealth apps available in Germany. These applications assist users with activities such as fitness training, cycle tracking, or medication intake, processing highly sensitive health data in the process.
Using static and dynamic analysis techniques, the researchers examined the actual behavior of the apps in detail, including data flows and consent processes. The results reveal serious shortcomings: In several cases, personal information such as advertising IDs is shared with third parties even before explicit consent is given. All apps examined forward data to countries outside the EU, primarily to the USA. Around 40 percent of the applications also communicate with servers in Ireland, which is considered a central data hub in Europe. Further connections extend to Australia, Sweden, China, and Singapore, highlighting the global distribution of sensitive information.
Another problem area involves manipulative design elements, so-called Dark Patterns, which are present in all 20 apps. These tricks are intended to trick users into giving consent prematurely without fully understanding the consequences. Additionally, there are language barriers: In half of the apps with a German user interface, the privacy policies are available exclusively in English. Even in German-language versions, the wording often remains vague, with data recipients merely referred to as “partners” or “service providers” without naming specific entities.
The study makes it clear that formal compliance with the EU General Data Protection Regulation alone is not sufficient to build genuine trust. Although many apps meet legal requirements, there is a lack of real transparency and traceability for users. Especially with health data, which carries a high potential for misuse, a combination of ethical standards and regulatory requirements is essential. The researchers advocate for clearer guidelines on transparent information and design specifications that prevent manipulative practices.
In upcoming projects, the Bremen scientists want to develop automated tools to efficiently detect data flows and dark patterns. Such tools could help developers and regulatory authorities to improve the quality of digital health solutions and strengthen user protection. The findings of the study, which were recently published in professional journals, could contribute to a broader debate on data protection in the digital health industry and lead to safer applications in the long term.
