Research into the Android’s Health Connect dashboard has discovered how easily communications can be intercepted and sensitive information collected.

Speaking to SC UK, Sina Yazdanmehr, senior IT security consultant at Aplite GmbH said he and his team were able to develop AI-backed malware targeting applications connected to Health Connect. This involved both collecting data, and also successfully influenced app outputs to suggest incorrect recommendations. 

Three Apps

In the research, which was recently presented at the Deepsec conference, Yazdanmehr says they were able to create three apps to influence Health Connect. The first involved weight management, where they changed the output of the application to show that the user was staying in their daily calorie budget, when they were exceeding it.

The next was on family planning application where they manipulated the user’s next fertile period, while the third was on diabetes management, where data was inserted to hide high levels of insulin and high blood sugar.

“If the user gives permission, the app that got permission to connect to the Health Connect can see the data from past 30 days that is stored in Health Connect,” he explains.

In Aplite’s research, they also proved the ability to read data from the user’s database. This includes changing the user’s details so they are much taller, can run very fast or burn calories rapidly.

He says: “The main problem is that Health Connect and other applications connected to it and consuming data, do not check if this data is valid based on medical science, and if for example user really can burn 10,000 calories in five minutes. They just accept it and that is the main problem for Android Health Connect.”

Read and Write Apps

Yazdanmehr explains that Health Connect is intended to replace Google Fit on all Android devices, and is an app that acts like a database, “only for health, records and data; and medical applications, wellness applications can connect to this API and read and write medical records from and to Health Connect,” he said.

The Health Connect platform will keep all data on the user’s device, while Google Fit was cloud-based.

“[Health Connect] gives data to other applications and they do the analysis and everything,” he said. “For example, let's say you have a diabetes sensor that reads your blood sugar level, write it to Health Connect. On the other hand you have a fitness application like MyFitnessPal or something like that which reads this data, analyses it and gives you ‘this is your blood sugar level’.”

He said that if a user downloaded a new fitness or health-based app, they would need to approve permissions to share that app’s data with Health Connect.

SC UK contacted Google for comment, but had not received a response at the time of going to press. Google does state that new and existing app developers must complete and submit the Health apps declaration by 22 January 2025, and that “only applications or services with one or more features designed to benefit users' health and fitness are permitted to request access to Health Connect permissions” in the ‘Health Connect by Android Permissions’ guidelines. 

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.