This is an open-access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in JMIR mHealth and uHealth, is properly cited. The complete bibliographic information, a link to the original publication on https://mhealth.jmir.org/, as well as this copyright and license information must be included.
Mobile health (mHealth) apps have gained significant popularity over the last few years due to their tremendous benefits, such as lowering health care costs and increasing patient awareness. However, the sensitivity of health care data makes the security of mHealth apps a serious concern. Poor security practices and lack of security knowledge on the developers’ side can cause several vulnerabilities in mHealth apps.
In this review paper, we aimed to identify and analyze the reported challenges concerning security that developers of mHealth apps face. Additionally, our study aimed to develop a conceptual framework with the challenges for developing secure apps faced by mHealth app development organizations. The knowledge of such challenges can help to reduce the risk of developing insecure mHealth apps.
We followed the systematic literature review method for this review. We selected studies that were published between January 2008 and October 2020 since the major app stores launched in 2008. We selected 32 primary studies using predefined criteria and used a thematic analysis method for analyzing the extracted data.
Of the 1867 articles obtained, 32 were included in this review based on the predefined criteria. We identified 9 challenges that can affect the development of secure mHealth apps. These challenges include lack of security guidelines and regulations for developing secure mHealth apps (20/32, 63%), developers’ lack of knowledge and expertise for secure mHealth app development (18/32, 56%), lack of stakeholders’ involvement during mHealth app development (6/32, 19%), no/little developer attention towards the security of mHealth apps (5/32, 16%), lack of resources for developing a secure mHealth app (4/32, 13%), project constraints during the mHealth app development process (4/32, 13%), lack of security testing during mHealth app development (4/32, 13%), developers’ lack of motivation and ethical considerations (3/32, 9%), and lack of security experts’ engagement during mHealth app development (2/32, 6%). Based on our analysis, we have presented a conceptual framework that highlights the correlation between the identified challenges.
While mHealth app development organizations might overlook security, we conclude that our findings can help them to identify the weaknesses and improve their security practices. Similarly, mHealth app developers can identify the challenges they face to develop mHealth apps that do not pose security risks for users. Our review is a step towards providing insights into the development of secure mHealth apps. Our proposed conceptual framework can act as a practice guideline for practitioners to enhance secure mHealth app development.
The use of mobile apps in health care has gained widespread adoption [
The security of mobile apps in general and mHealth apps in particular has become one of the primary concerns since mobile apps are more vulnerable to attacks [
Health professionals are increasingly relying upon health data collected via mHealth apps to make their decisions, such as dermatologic care [
A large part of mHealth app security relies on developers’ experience with designing and developing secure apps. We use the term developer in our research to refer to professionals who are engaged in engineering and development of mHealth apps. According to previous studies [
This review’s primary contribution is identifying the challenges that hinder the development of secure mHealth apps, such as the lack of security guidelines and regulations for developing secure mHealth apps and developers’ lack of knowledge of and expertise with secure mHealth app development. This review’s results can be beneficial to researchers and practitioners (eg, mHealth app developers, managers, research engineers) for supporting research and development of emerging and next-generation, secure mHealth apps.
The challenges for developing secure software have been receiving increasing attention in recent years. A review by Kanniah and Mahrin [
Some studies also aimed to help mobile app developers develop secure apps by providing guidelines for the development process [
Prior reviews [
This research has been undertaken as an SLR. It is one of the most widely used research methods of evidence-based software engineering. An SLR provides a well-defined process for identifying, evaluating, and interpreting all available evidence relevant to particular research. We followed the guidelines of Kitchenham et al [
Flow diagram for the selection of articles. IoT: Internet of Things; mHealth: mobile health; WSN: wireless sensor network.
Our review’s objective was to identify and codify the challenges that hinder mHealth app developers from developing secure apps. This review’s findings would enable us to identify the potential gaps that need to be further investigated based on the developers’ perspectives.
We used the following strategies to form our search string: (1) identifying the major terms based on the study focus and the research question, (2) identifying all the possible keywords and related synonyms based on our experience and previous work, (3) using the Boolean “AND” to join major terms and the Boolean “OR” to join alternative terms and synonyms. Hence, our search string for this review was as follows: (“security” OR “insecure” OR “secure”) AND (“mobile health” OR “mobile healthcare” OR “mobile health-care” OR “mobile health care” OR “telehealth” OR “mhealth”).
We used the Scopus digital library as our primary search library as there are many successful examples of other researchers (eg, [
As illustrated in
We ran our search string in the Scopus digital library. Thus, we retrieved a total of 1867 potential articles.
We carefully reviewed the title and keywords to decide whether each of the retrieved articles was relevant to our SLR. We retained the papers for the next inspection when we could not decide by reading the titles and keywords. Thus, we excluded 1402 articles and included 465 articles for the next phase.
We read the abstract and introduction for each article. This phase enabled us to include 192 articles and discard 273 articles.
We scanned the entire article to ensure that it was relevant to our SLR objective. Thus, we included 95 articles and excluded 97 articles.
We critically reviewed the included papers and excluded duplicates (eg, extended versions of the studies were included, and shorter versions were excluded). Thus, we excluded 63 articles and included 32 studies, referred to as S1 to S32. A list of the included papers is presented in
For the purpose of this review, we applied predefined inclusion and exclusion criteria for paper selection. We included primary studies that focused on the development process of secure mHealth apps, studies written in English published from January 2008 to October 2020 since major app stores (Google Play and Apple Store) were launched in 2008, and peer-reviewed publications (ie, journals, conferences, workshops, and book chapters).
Besides excluding non-peer-reviewed studies (ie, lecture notes, summaries, panels, and posters) and studies that were not written in English, we excluded studies that contained irrelevant content for our review such as studies that focused on investigating technical solutions (eg, encryption methods, authentication mechanisms, access control) for mHealth apps; studies providing technical solutions to connect mHealth apps to Internet of Things (IoT) devices or cloud computing technology; studies that focused on sensor layers (eg, wireless sensor networks), developing algorithms, or network protocols for mHealth apps; studies that focused on mHealth app quality or gathering functional requirements; and studies that examined user experiences with some mHealth apps (eg, patient management apps).
We divided the extracted data into 2 categories: study characteristics and the challenges for developing secure mHealth apps. Our data extraction form is shown in
To further enhance our analysis, we developed a conceptual framework to present the correlation among the identified challenges. We followed the steps of Regoniel [
Example of the steps of applying the thematic analysis to the qualitative data. mHealth: mobile health.
We now present the findings of our SLR. We classified the findings into demographic information, challenges for developing secure mHealth apps, and the conceptual framework for the identified challenges.
In this subsection, we present the study characteristics based on the outlet (ie, journal, conference, or workshop) of the selected papers, as shown in
Providing such information would be helpful for new researchers interested in conducting research in this particular area. We selected 32 primary studies for this review. The complete list of the reviewed articles is available in
The number of selected studies published per year and their distribution by outlet.
Year | Journals, n | Conferences, n | Workshops, n |
2012 | 1 | 1 | 0 |
2013 | 0 | 0 | 0 |
2014 | 5 | 1 | 0 |
2015 | 4 | 2 | 0 |
2016 | 2 | 0 | 0 |
2017 | 3 | 0 | 1 |
2018 | 4 | 0 | 0 |
2019 | 4 | 1 | 1 |
2020 | 0 | 2 | 0 |
This subsection reports the results based on our analysis to answer the study research question: “What are the challenges that developers of mHealth apps face with respect to implementing security?” Our analysis identified 9 challenges (referred to as C1 to C9) that hinder app developers from developing secure mHealth apps. The identified challenges were ordered based on their frequency within the reviewed studies.
Challenges with developing secure mobile health (mHealth) apps (identified from 32 studies).
Challenge number and description | Key points from reviewed studies | Frequency, n (%) |
C1. Lack of security guidelines and regulations for developing secure mHealth apps | Lack of security guidelines, regulations, direct laws about the security requirements, secure designing, security testing, security features that need to be employed in mHealth apps (S4 [ |
20 (63) |
C2. Developers’ lack of knowledge of and expertise with secure mHealth app development |
Insufficient knowledge of software developers about the security risks of mHealth apps (S12 [ |
18 (56) |
C3. Lack of stakeholders’ involvement during mHealth app development | Lack of stakeholders’ participation during the development lifecycle of mHealth apps (S5 [ |
6 (19) |
C4. No or little attention by developers towards the security of mHealth apps | Developer' assumption that users are not concerned about security (S32 [ |
5 (16) |
C5. Lack of financial resources for developing secure mHealth apps | No/low budget assigned for employing security measures (S32 [ |
4 (13) |
C6. Time constraints during mHealth app development process | Rushing to market, which leaves vulnerabilities in mHealth apps (S18 [ |
4 (13%) |
C7. Lack of security testing during mHealth app development | Lack of security testing (S32 [ |
4 (13) |
C8. Developers lack motivation and ethical considerations | Lack of motivations for developers during the development process of mHealth apps (S27 [ |
3 (9) |
C9. Lack of security experts’ engagement during mHealth app development | Lack of collaboration and discussion with security experts from the beginning of the development lifecycle of mHealth apps (S18 [ |
2 (6) |
aAPIs: application programming interfaces.
bTLS: transport security layer.
Security guidelines refer to a set of suggested actions or recommendations for things to do or avoid during software development [
The security knowledge of mobile app developers plays a significant part in developing secure mHealth apps. Lack of security knowledge would result in creating an insecure app that may leak health-critical data to attackers. The reviewed studies indicated that mHealth app developers do not have enough security education covering important security aspects. Consequently, developers follow insecure programming practices (eg, employing improper security solutions; S22 [
Keeping in mind that the threat landscape is changing rapidly, dealing with the volatile environment requires developers to keep their security knowledge sharp. Even security experts need to update their knowledge [
Involving stakeholders in security requirement engineering is being recognized as key to software success and getting effective and impactful outcomes [
The development process of mHealth apps can be supported by using security resources to enhance secure mHealth app development. Lack of necessary resources, such as technology, is a challenge that can directly impact developing secure mHealth apps. For example, security tools (eg, Zed Attack Proxy, Android Debug Bridge, Codified Security, White Hat Security, and Quick Android Review Kit) are resources to facilitate writing secure code and testing apps during the development process. They help developers catch errors that they might be unaware of and adjust their code accordingly before releasing an app. Wurster and van Oorschot [
Similarly, software libraries can be used as supportive resources to facilitate the software development process. Such libraries help developers reuse specific code for certain goals and support access to hardware and software that might be needed. Yet, it can be challenging for developers to know which library to trust while developing mHealth apps. There can be a risk of data leakage by using untrusted libraries (S16 [
Older versions of security resources (ie, tools and libraries) also contain known vulnerabilities (S18 [
Incorporating security should ideally be considered throughout SDLC from requirement analysis to the deployment phase [
Due to business pressures (eg, rushing to market), delivering an app on time tends to be the main aim mHealth apps developers try to satisfy for customers and avoid extra costs. High workload and tight timeframes require mHealth app developers to put more effort in meeting functional requirements as a primary task (S18 [
Security testing is one of the essential phases of the mHealth app development lifecycle. Security testing helps determine the quality of apps by ensuring all the security requirements are met. Security testing for mHealth apps, in particular, will help figure out how an app will react against different attacks (eg, unauthorized access to health data, tampering with health data, or reporting invalid health data to health professionals; S11 [
A security expert, security leader, or security champion within an organization plays a vital role during the mHealth app development process (S7 [
Motivation refers to the driving force behind all the actions of developers during development. It has been recognized as a critical success factor for software projects. Motivation can be seen differently based on developers and an organization’s size [
Based on our analysis of the extracted data, we propose a conceptual framework, as in
A conceptual framework for correlating the challenges in developing secure mHealth apps.
Based on the results of
Despite the fact that other challenges were given less attention by the reviewed studies (ie, 19% for C3, 16% for C4, 13% for C5-C7, 9% for C8, and 6% for C9), some challenges have a direct relationship with other challenges as we indicated earlier (eg, poor security decisions during mHealth app development are related to insufficient security knowledge by developers). Consequently, there will be an impact on the development process of mHealth apps. Therefore, we believe identifying these challenges would help mHealth app development organizations evaluate their security practices and readiness in implementing security in mHealth app projects.
While mHealth apps enable health care services, the security of end users’ health data remains a challenge. This review aimed to identify the challenges that prevent development of secure mHealth apps based on the existing literature. We identified 9 challenges based on the analysis of the data extracted from 32 articles. The identified challenges include (1) lack of security guidelines and regulations for developing secure mHealth apps, (2) developers’ lack of knowledge of and expertise with secure mHealth app development, (3) lack of stakeholders’ involvement during mHealth app development, (4) no or little attention by developers towards the security of mHealth apps, (5) lack of resources for developing secure mHealth apps, (6) project constraints during the mHealth app development process, (7) lack of security testing during mHealth app development, (8) developers’ lack of motivation and ethical considerations, and (9) lack of security experts’ engagement during mHealth app development. We noticed from the literature that there is an emphasis on presenting the security issues of mHealth apps and how they can be resolved (eg, presenting security framework, providing secure mHealth app development recommendations, evaluating the security for existing mHealth apps). However, little attention has been given to the human factor during the development process of mHealth apps (ie, nontechnical solutions). Hence, it would be critical to recognize the security challenges that mHealth app developers face during the development process.
Sufficient security knowledge for mHealth app developers is one of the key factors that would help develop secure apps. Security knowledge can be discussed as the type of required security knowledge and the sources of acquiring that knowledge. According to Barnum and McGraw [
Likewise, using trusted sources (ie, tools and libraries) would be challenging for developers to be aware of their secure usage. So, we suggest further required improvement to facilitate mHealth app developers’ jobs by exploring the list of trusted sources. Identifying trusted sources with their policies, terms, and conditions of usage and the proper ways of receiving updates would help mHealth app developers to develop secure apps. At the same time, this approach would help disseminate and provide security knowledge for mHealth app developers through trusted sources.
“A critical challenge facing software security today is the dearth of experienced practitioners” [
Our analysis shows that developers’ lack of security knowledge and expertise for secure mHealth app development is correlated with most of the identified challenges. For instance, developing secure mHealth apps requires good knowledge about security guidelines, security tools, and the trusted libraries (ie, awareness of how, when, and why they should utilize them). It is worth mentioning that development of secure mHealth apps has become complex and challenging. mHealth apps require connection with external sensors or devices (eg, wearable devices, implantable devices) [
The results of our review enabled us to propose the following areas that warrant future research on the secure development of mHealth apps.
In this review, we identified the challenges that hinder developing secure mHealth apps based on SLR. We plan to conduct an empirical study to investigate the challenges with real-world practitioners to validate our results. The planned future research would enable us to compare the identified challenges identified from the literature with real-world practices for better understanding. Further, we aim to study the practices that real-world practitioners use to overcome the identified challenges. As a consequence, this would allow us to define which challenges are correlated with which practices. Hence, identifying the challenges and practices would help us to extend the current conceptual framework and provide a body of knowledge for secure mHealth app development.
Since motivations and ethical considerations play an essential role in the secure mHealth app development process, we assert that there is a need to conduct an empirical study to understand developers’ motivational factors and what inspires them to ensure the security of mHealth apps (eg, security leaders, reward, recognition, career path, or promotion). Such a study can be further investigated by collecting quantitative data (eg, hypothesis testing) or qualitative data. This would create a better understanding and help mHealth app development organizations to realize and focus on the motivational factors.
One of the potential threats for our SLR can be missing or excluding relevant studies. To mitigate this threat, we used Scopus library as our data source. Scopus is considered the largest indexing system that provides the most comprehensive search engine, among other digital libraries [
Our research can be influenced by the researcher’s bias in extracting data from the reviewed studies, which may negatively affect the findings. To overcome this threat, we extracted data based on a predefined data extraction form (see
This review was motivated by the growing amount of attention paid to mobile apps, particularly mHealth apps. We aimed to analyze and synthesize the literature to identify the challenges that hinder mHealth app developers from developing secure apps. Our review followed an SLR approach and selected 32 studies that we believed were relevant to our study. We identified and discussed 9 challenges faced by mHealth app developers to develop secure apps. We also provided a conceptual framework for the identified challenges and presented several challenges linked to the body of knowledge found in this literature review. Our findings can be valuable for researchers and practitioners (eg, mHealth app developers, managers) to support research and development of secure mHealth apps. For researchers, this review can help formulate and test hypotheses. Furthermore, ideal and innovative solutions can be proposed to address these challenges. For practitioners, our review can help understand the existing challenges for developing secure mHealth apps from the literature. This would help resolve these challenges at the early stages of the mHealth app development process.
List of the reviewed studies.
Data extraction form.
General Data Protection Regulation
Health Insurance Portability and Accountability Act
Internet of Things
mobile health
Open Web Application Security Project
software development lifecycle
systematic literature review
We thank Dr Leonardo Horn Iwaya and Dr Faheem Ullah for playing the role of expert independent researchers during the key phases (eg, study selection, data extraction and synthesis) of this study. We also thank the anonymous reviewers for their valuable comments and suggestions that improved the paper. This work is partially funded by the Cyber Security Cooperative Research Centre.
None declared.