The reviewed record of science sign in
Pith

arxiv: 2605.02016 · v3 · pith:HLR5CMQZ · submitted 2026-05-03 · cs.CR · cs.CY

What's on Your Mind? Exploring Privacy of Mental Health Apps

Reviewed by Pith2026-07-01 00:07 UTCgrok-4.3pith:HLR5CMQZopen to challenge →

classification cs.CR cs.CY
keywords mental health appsprivacy policiestracker SDKsinformed consentAndroid permissionsthird-party data sharingAI processingtransparency gaps
0
0 comments X

The pith

Mental health apps embed trackers and request permissions their policies do not disclose.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper analyzes 25 popular Android mental health and life-coaching apps to test whether their privacy policies accurately reflect actual data practices. It combines static code inspection, live network monitoring, and automated policy text extraction to surface mismatches. Every app turns out to embed at least one tracker SDK that its policy never names, more than half the apps omit at least half their trackers, and 13 apps declare dangerous permissions such as camera or microphone access without ever mentioning the corresponding data collection. Because these apps routinely receive highly personal information about traumas, relationships, and mental states, the gaps prevent users from giving informed consent. The authors conclude that existing disclosure standards are inadequate and call for regulatory updates modeled on the ethical rules that govern licensed therapists.

Core claim

Static analysis, dynamic network capture, and LLM-assisted policy extraction on the 25 apps show that every app contains at least one tracker SDK absent from its policy, 68 percent of apps fail to name at least half the trackers found in their APKs, 16 permission-policy contradictions appear across 13 apps (including six that request camera or microphone access without disclosure), 48 percent of apps acknowledge third-party AI processing while seven use only generic language that leaves the recipients unnamed, and one app forwards journal entries to three different AI providers at once. These concrete mismatches demonstrate that current disclosure practices fall short of the transparency req

What carries the argument

Side-by-side comparison of app manifest permissions, observed network destinations, and extracted privacy-policy statements across the 25 apps.

If this is right

  • Every examined app embeds at least one undisclosed tracker SDK.
  • Thirteen apps declare dangerous permissions that their policies omit.
  • Six apps request camera or microphone access without any corresponding disclosure.
  • Nearly half the apps send data to third-party AI services, sometimes to multiple providers simultaneously.
  • Existing disclosure practices do not support meaningful informed consent, so a significantly updated regulatory framework is required.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • App stores or regulators could require machine-readable lists of all embedded SDKs and AI recipients.
  • Similar side-by-side checks could be applied to other categories of apps that handle sensitive personal data.
  • Users might change behavior if they could see automated comparisons between an app's declared policy and its actual traffic.
  • Therapy-app developers would need to audit every third-party component before release to avoid the contradictions found here.

Load-bearing premise

The 25 chosen apps together with the static, dynamic, and LLM-assisted methods capture the full set of real privacy practices without missing material trackers or misreading policies.

What would settle it

A complete re-run of the same static, dynamic, and policy analysis on these 25 apps that finds every detected tracker named in the policies and zero permission contradictions would falsify the reported transparency gaps.

Figures

Figures reproduced from arXiv: 2605.02016 by Chloe Georgiou, Emiliano De Cristofaro, Gene Tsudik, Hans Lu.

Figure 1
Figure 1. Figure 1: Primary and secondary functions of the 25 apps in our corpus, denoted by dark/big and light/small circles view at source ↗
Figure 2
Figure 2. Figure 2: Overview of our measurement pipeline. APKs are an￾alyzed statically (via Androguard and MobSF) and dynamically (via Wireshark) to extract behavior evidence. Privacy policies are processed via keyword matching and LLM-based extraction to produce structured policy claims. The resulting disclosure gap quantifies the divergence between observed app behavior and what apps actually disclose. camera is the kind o… view at source ↗
Figure 3
Figure 3. Figure 3: 3rd-party trackers detected by MobSF in the 25 apps. profile before users actually start using the app. Another 4 apps (20%) explicitly reassure users that their data is pri￾vate. For example, Wysa states that nicknames are “pri￾vate,” Youper that conversations are “private and safe,” Happify that answers will “remain completely confiden￾tial,” and Aura that answers are “private and will not be shared.” As… view at source ↗
Figure 5
Figure 5. Figure 5: Tracker disclosure per app. Each tracker detected by the static (MobSF) or dynamic (Wireshark) scan is counted once and classified by whether the privacy policy names it. The five apps requiring organizational access codes are excluded from both analyses. in the policy. Talkie is the clearest outlier: its APK and net￾work traffic together expose 18 distinct tracker vendors, none of which appear in its poli… view at source ↗
Figure 6
Figure 6. Figure 6: LLM extraction prompt template for privacy policy analysis. C Trackers In view at source ↗
read the original abstract

Therapy and life-coaching apps have been rapidly growing in number, flavors, and popularity. However, their users routinely share highly sensitive and personal information, such as traumas, fantasies, desires, relationship difficulties, and other mental health concerns. This prompts the need for an empirical analysis of privacy practices in this ecosystem, and particularly the alignment between these apps' privacy policies and their actual behavior. In this paper, we present a comprehensive analysis of 25 popular Android mental health and life-coaching apps, combining static analysis, dynamic network capture, and LLM-assisted privacy policy extraction validated against manual annotation. Our findings highlight serious concerns and substantial transparency gaps. First, every app embeds at least one tracker SDK that its privacy policy does not name, and 68% of apps fail to disclose at least half of the trackers detected in their APKs; Talkie alone embeds 20 while naming none. Second, we identify 16 permission-policy contradictions across 13 apps, i.e., a dangerous permission is declared in the manifest but omitted from the policy, including 6 apps that request camera or microphone access without disclosing photo, video, or audio collection. Third, 48% of apps disclose third-party AI processing (e.g., via OpenAI, Anthropic, Groq), with one app sending journal entries to all three simultaneously, while 7 apps use only generic language that leaves recipients unidentified. Taken together, our findings demonstrate that current disclosure practices fall short of the transparency required for meaningful informed consent. We argue for a significantly updated regulatory framework governing therapy apps in the spirit of the professional and ethical standards that bind licensed human therapists.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper presents a multi-method empirical analysis of 25 popular Android mental health and life-coaching apps. It combines static APK inspection for trackers and permissions, dynamic network traffic capture, and LLM-assisted extraction of privacy policies (validated against manual annotation). Key results include: every app embeds at least one tracker SDK not named in its policy, with 68% failing to disclose at least half of detected trackers (Talkie embeds 20, names none); 16 permission-policy contradictions across 13 apps, including 6 that request camera/microphone without disclosing collection; and 48% disclose third-party AI processing (e.g., OpenAI, Anthropic), while 7 use only generic language. The authors conclude that these disclosure gaps mean current practices fall short of the transparency needed for meaningful informed consent and argue for an updated regulatory framework modeled on standards for licensed therapists.

Significance. If the detection methods prove comprehensive, the quantified findings provide concrete evidence of transparency shortfalls in a domain handling highly sensitive data, strengthening the case for policy intervention. The multi-method design and manual validation of LLM outputs are methodological strengths that enhance credibility over purely static or policy-only studies. The specific counts on undisclosed trackers, contradictions, and AI recipients offer falsifiable observations useful for future replication or regulatory reference.

major comments (2)
  1. [§3.2] §3.2 (Dynamic Analysis): The description of network traffic capture provides no details on exercised test paths, permission-triggered flows, or coverage metrics. This is load-bearing for the central claim because incomplete path coverage could produce false negatives in tracker and AI recipient detection, directly affecting the 'every app' undisclosed tracker result and the 68% non-disclosure statistic.
  2. [§3.3] §3.3 (LLM-assisted Policy Extraction): Although the method is stated to be validated against manual annotation, no quantitative validation metrics (precision, recall, disagreement rate, or example cases) are reported. This is load-bearing for the informed-consent conclusion because it affects confidence in the 48% AI-processing disclosure rate and the count of 7 apps using only generic language.
minor comments (1)
  1. [Abstract] The abstract and results could more explicitly state the total number of trackers detected across the corpus to allow readers to assess the scale of the 68% figure.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback highlighting opportunities to strengthen the methodological transparency of our multi-method analysis. We address each major comment below and will revise the manuscript to incorporate the requested details.

read point-by-point responses
  1. Referee: [§3.2] §3.2 (Dynamic Analysis): The description of network traffic capture provides no details on exercised test paths, permission-triggered flows, or coverage metrics. This is load-bearing for the central claim because incomplete path coverage could produce false negatives in tracker and AI recipient detection, directly affecting the 'every app' undisclosed tracker result and the 68% non-disclosure statistic.

    Authors: We agree that the current description of dynamic analysis in §3.2 is insufficiently detailed. In the revised manuscript we will expand this section to specify the exercised test paths (onboarding, account creation, journaling/mood logging, AI chat interactions, and explicit permission grants for camera/microphone), the automation approach used to trigger permission flows, session durations, and any coverage indicators obtained during network capture. These additions will directly support the reliability of the tracker-detection results. revision: yes

  2. Referee: [§3.3] §3.3 (LLM-assisted Policy Extraction): Although the method is stated to be validated against manual annotation, no quantitative validation metrics (precision, recall, disagreement rate, or example cases) are reported. This is load-bearing for the informed-consent conclusion because it affects confidence in the 48% AI-processing disclosure rate and the count of 7 apps using only generic language.

    Authors: We acknowledge that quantitative validation metrics for the LLM-assisted policy extraction were not reported, even though manual validation was performed. In the revision we will add a dedicated paragraph or table in §3.3 presenting precision, recall, disagreement rate, and representative examples of LLM vs. manual annotation outcomes. This will increase confidence in the 48% AI-disclosure figure and the count of generic-language apps. revision: yes

Circularity Check

0 steps flagged

No circularity: pure empirical measurement study

full rationale

The paper performs static APK inspection, dynamic network capture, and LLM-assisted (manually validated) policy extraction on 25 apps, then reports direct counts of trackers, contradictions, and disclosures. No equations, fitted parameters, predictions, ansatzes, or derivation chains exist. No self-citations are invoked as load-bearing uniqueness theorems or to justify methods. All claims reduce to observable outputs from the selected apps' manifests, traffic, and policy text; the analysis is self-contained against external benchmarks and contains no self-definitional or fitted-input steps.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim rests on domain assumptions about the completeness of analysis techniques and the representativeness of the chosen app sample; no free parameters or invented entities are introduced.

axioms (2)
  • domain assumption Static and dynamic analysis reliably detect all embedded tracker SDKs and permission usages in the APKs.
    Required to support the claim that every app embeds at least one undisclosed tracker and that contradictions exist.
  • domain assumption The 25 popular apps form a representative sample of the mental health and life-coaching app ecosystem.
    Basis for generalizing findings to the broader category and regulatory recommendations.

pith-pipeline@v0.9.1-grok · 5836 in / 1383 out tokens · 47091 ms · 2026-07-01T00:07:44.656970+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

65 extracted references · 65 canonical work pages

  1. [1]

    Research & stats

    7 Cups. Research & stats. https://www.7cups.com/about/ research-stats.php, 2026. Accessed April 2026

  2. [2]

    Alqahtani and R

    F. Alqahtani and R. Orji. Insights from user reviews to improve mental health apps.Health informatics journal, 26(3), 2020

  3. [3]

    ACA code of ethics

    American Counseling Association. ACA code of ethics. https://www.counseling.org/resources/aca-code-of- ethics.pdf, 2014. Accessed April 2026

  4. [4]

    Ethical principles of psychologists and code of conduct (2002, amended 2010 and 2017)

    American Psychological Association. Ethical principles of psychologists and code of conduct (2002, amended 2010 and 2017). https://www.apa.org/ethics/code, 2017. Ac- cessed April 2026

  5. [5]

    Andow, S

    B. Andow, S. Y. Mahmud, W. Wang, J. Whitaker, W. Enck, B. Reaves, K. Singh, and T. Xie. PolicyLint: investigating internal privacy policy contradictions on google play. In USENIX Security, pages 585–602, 2019

  6. [6]

    Andow, S

    B. Andow, S. Y. Mahmud, J. Whitaker, W. Enck, B. Reaves, K.Singh,andS.Egelman. Actionsspeaklouderthanwords: Entity-Sensitive privacy policy and data flow analysis with PoliCheck. InUSENIX Security, pages 985–1002, 2020

  7. [7]

    Baumel, F

    A. Baumel, F. Muench, S. Edan, and J. M. Kane. Digital peer-support platform (7Cups) as an adjunct treatment for women with postpartum depression.JMIR mHealth and uHealth, 6(2):e38, 2018

  8. [8]

    Baumel, F

    A. Baumel, F. Muench, S. Edan, and J. M. Kane. Objec- tive user engagement with mental health apps: systematic search and panel-based usage analysis.Journal of Medical Internet Research, 21(9), 2019

  9. [9]

    F. F. Belz, N. J. Vega Potler, I. N. S. Johnson, and R. P. F. Wolthusen. Lessons from low- and middle-income coun- tries: Alleviating the behavioral health workforce shortage in the United States.Psychiatric Services, 75(7), 2024

  10. [10]

    S. Bradley. Replika CEO Eugenia Kuyda on launch- ing Wabi. https://www.businessinsider.com/replika-ceo- eugenia-kuyda-launch-wabi-2025-10, 2025. Accessed April 2026

  11. [11]

    Examining risks in the AI companion application ecosystem,

    N.G.Brigham, L.Qin, andT.Kohno. Examiningrisksinthe AI companion application ecosystem. arXiv:2603.13620, 2026

  12. [12]

    Headspace statistics

    Business of Apps. Headspace statistics. https://www. 14 businessofapps.com/data/headspace-statistics/, 2025. Ac- cessed April 2026

  13. [13]

    Coffield and K

    E. Coffield and K. Kausar. Evaluating user engagement with a real-time, text-based digital mental health support app: Cross-sectional, retrospective study.JMIR mHealth and uHealth, 2025

  14. [14]

    Filippova, K

    A.F.Cooper, C.A.Choquette-Choo, M.Bogen, M.Jagielski, K. Filippova, K. Liu, A. Chouldechova, J. Hayes, Y. Huang, N. Mireshghallah, et al. Machine unlearning doesn’t do what you think: Lessons for generative ai policy, research, and practice.arXiv:2412.06966, 2024

  15. [15]

    Cuevas, J

    Á. Cuevas, J. González Cabañas, A. Arrate, and R. Cuevas. Does Facebook use sensitive data for advertising purposes? Worldwide analysis and GDPR impact. InACM IMC, 2021

  16. [16]

    Desnos and G

    A. Desnos and G. Gueguen. Androguard: Reverse en- gineering and malware analysis of Android applications. https://github.com/androguard/androguard, 2024

  17. [17]

    Z. Dong, T. Liu, J. Deng, L. Li, M. Yang, M. Wang, G. Xu, and G. Xu. Exploring covert third-party identifiers through external storage in the android new era. InUSENIX Secu- rity, pages 4535–4552, 2024

  18. [18]

    Z. Dong, L. Wang, H. Xie, G. Xu, and H. Wang. Privacy analysis of period tracking mobile apps in the post-roe v. wade era. InASE, pages 1–6, 2022

  19. [19]

    Legacy Article 29 Work- ing Party

    European Data Protection Board. Legacy Article 29 Work- ing Party. https://www.edpb.europa.eu/system/files/ 2023-09/wp260rev01_en.pdf, 2023. Last Accessed April 2026

  20. [20]

    ePrivacy direc- tive

    European Data Protection Supervisor. ePrivacy direc- tive. https://www.edps.europa.eu/data-protection/our- work/subjects/eprivacy-directive_en,2026. AccessedApril 2026

  21. [21]

    Faizullabhoy and S

    M. Faizullabhoy and S. Wangnoo. Mental health apps market size, forecasts report 2026–2035. https://www.gminsights.com/industry-analysis/mental- health-apps-market, Apr. 2026. Accessed April 2026

  22. [22]

    FTC to ban BetterHelp from revealing consumers’ data, including sensitive mental health information, to Facebook and others for targeted advertising

    Federal Trade Commission. FTC to ban BetterHelp from revealing consumers’ data, including sensitive mental health information, to Facebook and others for targeted advertising. https://www.ftc.gov/news- events/news/press-releases/2023/03/ftc-ban-betterhelp- revealing-consumers-data-including-sensitive-mental- health-information-facebook, 2023

  23. [23]

    Rep- lika

    Garante per la protezione dei dati personali. AI: the Italian supervisory authority fines company behind chatbot “Rep- lika”. https://www.edpb.europa.eu/news/national- news/2025/ai-italian-supervisory-authority-fines- company-behind-chatbot-replika_en, May 2025

  24. [24]

    A. Gorla. On the analysis of mobile apps. why is most of our research on android? InISEC, pages 1–1, 2024

  25. [25]

    for an app supposed to make its users feel better, it sure is a joke

    M. R. Haque and S. Rubya. “for an app supposed to make its users feel better, it sure is a joke” an analysis of user reviews of mobile mental health applications.Proceedings of the ACM on Human-Computer Interaction, 6:1–29, 2022

  26. [26]

    Hawekotte

    K. Hawekotte. Does industry self-regulation of mental health apps protect consumers? The Regulatory Review, https://www.theregreview.org/2023/11/21/hawekotte- does-industry-self-regulation-of-mental-health-apps- protect-consumers/, 2023

  27. [27]

    Assessmentofthe data sharing and privacy practices of smartphone apps for depression and smoking cessation.JAMA Network Open, 2(4):e192542, 2019

    K.Huckvale, J.Torous, andM.E.Larsen. Assessmentofthe data sharing and privacy practices of smartphone apps for depression and smoking cessation.JAMA Network Open, 2(4):e192542, 2019

  28. [28]

    L. H. Iwaya, A. Ahmad, and M. A. Babar. On the privacy of mental health apps: An empirical investigation and its implications for app development.Empirical Software En- gineering, 28(1):2, 2022

  29. [29]

    B. T. Kaveladze, A. R. Wasil, J. B. Bunyi, V. Ramirez, and S. M. Schueller. User experience, engagement, and pop- ularity in mental health apps: Secondary analysis of app analytics and expert app reviews.JMIR Human Factors, 9(1):e30766, 2022

  30. [30]

    J. Kim. Data brokers and the sale of americans’ mental health data: The exchange of our most sensitive data and what it means for personal privacy. Technical report, Duke University Sanford School of Public Policy, 2023

  31. [31]

    Kishnani, N

    U. Kishnani, N. Noah, S. Das, and R. Dewri. Assessing secu- rity, privacy, user interaction, and accessibility features in popular e-payment applications. InEuroUSEC, pages 143– 157, 2023

  32. [32]

    Kollnig, R

    K. Kollnig, R. Binns, P. Dewitte, M. Van Kleek, G. Wang, D. Omeiza, H. Webb, and N. Shadbolt. A fait accompli? an empirical study into the absence of consent to third-party tracking in android apps. InSOUPS, pages 181–196, 2021

  33. [33]

    Kollnig, A

    K. Kollnig, A. Shuba, R. Binns, M. Van Kleek, and N. Shad- bolt. Are iphones really better for privacy? comparative study of ios and android apps.arXiv:2109.13722, 2021

  34. [34]

    Kumar, S

    R. Kumar, S. Kishore, H. Lu, and A. Prakash. Security anal- ysis of unified payments interface and payment apps in in- dia. InUSENIX Security, 2020

  35. [35]

    Kwesi, J

    J. Kwesi, J. Cao, R. Manchanda, and P. Emami-Naeini. Ex- ploringusersecurityandprivacyattitudesandconcernsto- ward the use of General-Purpose LLM chatbots for mental health. InUSENIX Security, pages 6007–6024, 2025

  36. [36]

    N. Lau, A. O’Daffer, S. Colt, J. P. Yi-Frazier, T. M. Palermo, E.McCauley, andA.R.Rosenberg. AndroidandiPhonemo- bileappsforpsychosocialwellnessandstressmanagement: Systematic search in app stores and literature review.JMIR mHealth and uHealth, 8(5):e17798, 2020

  37. [37]

    W. Liu, X. Liu, Y. Feng, K. Huang, Z. Jin, Y. Cao, Y. Liu, and Q. Liu. Wtdetect: a third-party website tracking de- tection framework for android applications.Cybersecurity, 8(1):96, 2025

  38. [38]

    J. C. Looi, S. Allison, T. Bastiampillai, P. A. Maguire, S. Kisely, S. Reutens, and R. C. Looi. Cybersecurity lessons from the Vastaamo psychotherapy data breach for psychia- trists and other mental healthcare providers.Australasian Psychiatry, 33(1):106–110, 2024

  39. [39]

    J. M. Marshall, D. A. Dunstan, and W. Bartik. Apps with maps—anxiety and depression mobile apps with evidence- based frameworks: systematic search of major app stores. JMIR mental health, 7(6), 2020

  40. [40]

    android_rules.yaml: Android static analysis rules for Mobile Security Framework (MobSF)

    MobSF Project. android_rules.yaml: Android static analysis rules for Mobile Security Framework (MobSF). https://github.com/MobSF/Mobile-Security-Framework- MobSF/blob/master/mobsf/StaticAnalyzer/views/ android/rules/android_rules.yaml, 2024

  41. [41]

    appsec.py: App security score com- putation in Mobile Security Framework (MobSF)

    MobSF Project. appsec.py: App security score com- putation in Mobile Security Framework (MobSF). https://github.com/MobSF/Mobile-Security-Framework- MobSF/blob/master/mobsf/StaticAnalyzer/views/ common/appsec.py, 2024

  42. [42]

    Mobilesecurityframework(MobSF):Auto- mated mobile application security testing

    MobSFProject. Mobilesecurityframework(MobSF):Auto- mated mobile application security testing. https://github. 15 com/MobSF/Mobile-Security-Framework-MobSF, 2024

  43. [43]

    Mohamed, A

    R. Mohamed, A. Arunasalam, H. Farrukh, J. Tong, A. Bianchi, and Z. B. Celik. ATTention please! an inves- tigation of the app tracking transparency permission. In USENIX Security, pages 5017–5034, 2024

  44. [44]

    Owens, A

    K. Owens, A. Alem, F. Roesner, and T. Kohno. Electronic monitoring smartphone apps: An analysis of risks from technical, Human-Centered, and legal perspectives. In USENIX Security, 2022

  45. [45]

    Razaghpanah, R

    A. Razaghpanah, R. Nithyanand, N. Vallina-Rodriguez, S. Sundaresan, M. Allman, C. Kreibich, P. Gill, et al. Apps, trackers, privacy, and regulators: A global study of the mo- bile tracking ecosystem. InNDSS, 2018

  46. [46]

    Reardon, Á

    J. Reardon, Á. Feal, P. Wijesekera, A. Elazari Bar On, N. Vallina-Rodriguez, and S. Egelman. 50 ways to leak your data: An exploration of apps’ circumvention of the android permissions system. InUSENIX Security, pages 603–620, 2019

  47. [47]

    Young people in China are embracing AI therapy

    Rest of World. Young people in China are embracing AI therapy. https://restofworld.org/2025/young-people-in- china-are-embracing-ai-therapy/, 2025. Accessed April 2026

  48. [48]

    won’t somebody think of the children?

    I. Reyes, P. Wijesekera, J. Reardon, A. Elazari Bar On, A. Razaghpanah, N. Vallina-Rodriguez, and S. Egelman. “won’t somebody think of the children?” examining coppa complianceatscale.ProceedingsonPrivacyEnhancingTech- nologies, (3):63–83, 2018

  49. [49]

    Samarin, S

    N. Samarin, S. Kothari, Z. Siyed, O. Bjorkman, R. Yuan, P. Wijesekera, N. Alomar, J. Fischer, C. Hoofnagle, and S.Egelman. LessonsinVCRRepair: ComplianceofAndroid App Developers with the California Consumer Privacy Act (CCPA).arXiv:2304.00944, 2023

  50. [50]

    N. A. Sayer, A. Kaplan, D. B. Nelson, S. W. Stirman, and C. S. Rosen. Clinician burnout and effectiveness of guideline-recommended psychotherapies.JAMA Network Open, 7(4):e246858, 2024

  51. [51]

    Sparrow and M

    R. Sparrow and M. Brown. Against imaginary friends: Why digital companions are no solution to social isolation.Com- mun. ACM, page 60–68, Jan. 2026

  52. [52]

    Fingerprinting sdks for mobile apps and where to find them: Understanding the market for device finger- printing

    M.A.Specter,M.Christodorescu,A.Farr,B.Ma,andR.Las- sonde. Fingerprinting sdks for mobile apps and where to find them: Understanding the market for device finger- printing. InACM CCS, pages 1275–1289, 2025

  53. [53]

    Starvaggi and L

    I. Starvaggi and L. Lorenzo-Luaces. Psychotherapy access barriers and interest in digital mental health interventions among adults with treatment needs: Survey study.JMIR Mental Health, 12:e65356, 2025

  54. [54]

    Mobile operating system market share worldwide

    StatCounter. Mobile operating system market share worldwide. https://gs.statcounter.com/os-market-share/ mobile/worldwide, 2025

  55. [55]

    California consumer privacy act of 2018, Cal

    State of California. California consumer privacy act of 2018, Cal. Civ. Code §§ 1798.100 et seq. as amended by the california privacy rights act of 2020. https:// leginfo.legislature.ca.gov/faces/codes_displayText.xhtml? division=3.&part=4.&lawCode=CIV&title=1.81.5, 2018. Last Accessed April 2026

  56. [56]

    Supreme Court of the United States. Dobbs v. Jackson Women’s Health Organization, 2022. 597 U.S. 215

  57. [57]

    Torous, J

    J. Torous, J. Linardon, S. B. Goldberg, S. Sun, I. Bell, J. Nicholas, L. Hassan, Y. Hua, A. Milton, and J. Firth. The evolving field of digital mental health: current evidence and implementation issues for smartphone apps, genera- tive artificial intelligence, and virtual reality.World Psychi- atry, 24(2):156–174, 2025

  58. [58]

    Torous and L

    J. Torous and L. W. Roberts. Needed innovation in digi- tal health and smartphone applications for mental health: transparency and trust.JAMA psychiatry, 74(5):437–438, 2017

  59. [59]

    Congress

    U.S. Congress. Federal trade commission act, 15 U.S.C. §§ 41–58. https://www.federalreserve.gov/boarddocs/ supmanual/cch/200806/ftca.pdf, 1914. Last Accessed April 2026

  60. [60]

    M. Wang, P. Görz, J. Schilling, K. Hassler, L. Guo, T. Holz, and A. Abbasi. Anota: Identifying business logic vulnera- bilities via annotation-based sanitization. InNDSS, 2026

  61. [61]

    Wessels, S

    M. Wessels, S. Koch, J. Drescher, L. Bettels, D. Klein, and M. Johns. HyTrack: Resurrectable and persistent track- ing across android apps and the web. InUSENIX Security, 2025

  62. [62]

    Vastaamo data breach

    Wikipedia contributors. Vastaamo data breach. https:// en.wikipedia.org/wiki/Vastaamo_data_breach, 2026. Ac- cessed April 2026

  63. [63]

    Q. Xie, K. Ramakrishnan, and F. Li. Evaluating privacy poli- cies under modern privacy laws at scale: An LLM-Based au- tomated approach. InUSENIX Security, pages 5797–5816, 2025

  64. [64]

    Zimmeck, P

    S. Zimmeck, P. Story, D. Smullen, A. Ravichander, Z. Wang, J. Reidenberg, N. C. Russell, and N. Sadeh. Maps: Scaling privacy compliance analysis to a million apps.Proceedings on Privacy Enhancing Technologies, (3):66–98, 2019

  65. [65]

    artificial intelligence,

    S. Zimmeck, Z. Wang, L. Zou, R. Iyengar, B. Liu, F. Schaub, S. Wilson, N. Sadeh, S. M. Bellovin, and J. Reidenberg. Au- tomated analysis of privacy requirements for mobile apps. InNDSS, 2017. 16 A Detailed App Descriptions Table 9 provides extended descriptions for each app in our corpus, including the primary service model, access re- quirements, pricing...