What's on Your Mind? Exploring Privacy of Mental Health Apps
Reviewed by Pith T0 review T1 audit T2 compute T3 formal T4 kernel 2026-07-01 00:07 UTCgrok-4.3pith:HLR5CMQZrecord.jsonopen to challenge →
The pith
Mental health apps embed trackers and request permissions their policies do not disclose.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Static analysis, dynamic network capture, and LLM-assisted policy extraction on the 25 apps show that every app contains at least one tracker SDK absent from its policy, 68 percent of apps fail to name at least half the trackers found in their APKs, 16 permission-policy contradictions appear across 13 apps (including six that request camera or microphone access without disclosure), 48 percent of apps acknowledge third-party AI processing while seven use only generic language that leaves the recipients unnamed, and one app forwards journal entries to three different AI providers at once. These concrete mismatches demonstrate that current disclosure practices fall short of the transparency req
What carries the argument
Side-by-side comparison of app manifest permissions, observed network destinations, and extracted privacy-policy statements across the 25 apps.
If this is right
- Every examined app embeds at least one undisclosed tracker SDK.
- Thirteen apps declare dangerous permissions that their policies omit.
- Six apps request camera or microphone access without any corresponding disclosure.
- Nearly half the apps send data to third-party AI services, sometimes to multiple providers simultaneously.
- Existing disclosure practices do not support meaningful informed consent, so a significantly updated regulatory framework is required.
Where Pith is reading between the lines
- App stores or regulators could require machine-readable lists of all embedded SDKs and AI recipients.
- Similar side-by-side checks could be applied to other categories of apps that handle sensitive personal data.
- Users might change behavior if they could see automated comparisons between an app's declared policy and its actual traffic.
- Therapy-app developers would need to audit every third-party component before release to avoid the contradictions found here.
Load-bearing premise
The 25 chosen apps together with the static, dynamic, and LLM-assisted methods capture the full set of real privacy practices without missing material trackers or misreading policies.
What would settle it
A complete re-run of the same static, dynamic, and policy analysis on these 25 apps that finds every detected tracker named in the policies and zero permission contradictions would falsify the reported transparency gaps.
Figures
read the original abstract
Therapy and life-coaching apps have been rapidly growing in number, flavors, and popularity. However, their users routinely share highly sensitive and personal information, such as traumas, fantasies, desires, relationship difficulties, and other mental health concerns. This prompts the need for an empirical analysis of privacy practices in this ecosystem, and particularly the alignment between these apps' privacy policies and their actual behavior. In this paper, we present a comprehensive analysis of 25 popular Android mental health and life-coaching apps, combining static analysis, dynamic network capture, and LLM-assisted privacy policy extraction validated against manual annotation. Our findings highlight serious concerns and substantial transparency gaps. First, every app embeds at least one tracker SDK that its privacy policy does not name, and 68% of apps fail to disclose at least half of the trackers detected in their APKs; Talkie alone embeds 20 while naming none. Second, we identify 16 permission-policy contradictions across 13 apps, i.e., a dangerous permission is declared in the manifest but omitted from the policy, including 6 apps that request camera or microphone access without disclosing photo, video, or audio collection. Third, 48% of apps disclose third-party AI processing (e.g., via OpenAI, Anthropic, Groq), with one app sending journal entries to all three simultaneously, while 7 apps use only generic language that leaves recipients unidentified. Taken together, our findings demonstrate that current disclosure practices fall short of the transparency required for meaningful informed consent. We argue for a significantly updated regulatory framework governing therapy apps in the spirit of the professional and ethical standards that bind licensed human therapists.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper presents a multi-method empirical analysis of 25 popular Android mental health and life-coaching apps. It combines static APK inspection for trackers and permissions, dynamic network traffic capture, and LLM-assisted extraction of privacy policies (validated against manual annotation). Key results include: every app embeds at least one tracker SDK not named in its policy, with 68% failing to disclose at least half of detected trackers (Talkie embeds 20, names none); 16 permission-policy contradictions across 13 apps, including 6 that request camera/microphone without disclosing collection; and 48% disclose third-party AI processing (e.g., OpenAI, Anthropic), while 7 use only generic language. The authors conclude that these disclosure gaps mean current practices fall short of the transparency needed for meaningful informed consent and argue for an updated regulatory framework modeled on standards for licensed therapists.
Significance. If the detection methods prove comprehensive, the quantified findings provide concrete evidence of transparency shortfalls in a domain handling highly sensitive data, strengthening the case for policy intervention. The multi-method design and manual validation of LLM outputs are methodological strengths that enhance credibility over purely static or policy-only studies. The specific counts on undisclosed trackers, contradictions, and AI recipients offer falsifiable observations useful for future replication or regulatory reference.
major comments (2)
- [§3.2] §3.2 (Dynamic Analysis): The description of network traffic capture provides no details on exercised test paths, permission-triggered flows, or coverage metrics. This is load-bearing for the central claim because incomplete path coverage could produce false negatives in tracker and AI recipient detection, directly affecting the 'every app' undisclosed tracker result and the 68% non-disclosure statistic.
- [§3.3] §3.3 (LLM-assisted Policy Extraction): Although the method is stated to be validated against manual annotation, no quantitative validation metrics (precision, recall, disagreement rate, or example cases) are reported. This is load-bearing for the informed-consent conclusion because it affects confidence in the 48% AI-processing disclosure rate and the count of 7 apps using only generic language.
minor comments (1)
- [Abstract] The abstract and results could more explicitly state the total number of trackers detected across the corpus to allow readers to assess the scale of the 68% figure.
Simulated Author's Rebuttal
We thank the referee for the constructive feedback highlighting opportunities to strengthen the methodological transparency of our multi-method analysis. We address each major comment below and will revise the manuscript to incorporate the requested details.
read point-by-point responses
-
Referee: [§3.2] §3.2 (Dynamic Analysis): The description of network traffic capture provides no details on exercised test paths, permission-triggered flows, or coverage metrics. This is load-bearing for the central claim because incomplete path coverage could produce false negatives in tracker and AI recipient detection, directly affecting the 'every app' undisclosed tracker result and the 68% non-disclosure statistic.
Authors: We agree that the current description of dynamic analysis in §3.2 is insufficiently detailed. In the revised manuscript we will expand this section to specify the exercised test paths (onboarding, account creation, journaling/mood logging, AI chat interactions, and explicit permission grants for camera/microphone), the automation approach used to trigger permission flows, session durations, and any coverage indicators obtained during network capture. These additions will directly support the reliability of the tracker-detection results. revision: yes
-
Referee: [§3.3] §3.3 (LLM-assisted Policy Extraction): Although the method is stated to be validated against manual annotation, no quantitative validation metrics (precision, recall, disagreement rate, or example cases) are reported. This is load-bearing for the informed-consent conclusion because it affects confidence in the 48% AI-processing disclosure rate and the count of 7 apps using only generic language.
Authors: We acknowledge that quantitative validation metrics for the LLM-assisted policy extraction were not reported, even though manual validation was performed. In the revision we will add a dedicated paragraph or table in §3.3 presenting precision, recall, disagreement rate, and representative examples of LLM vs. manual annotation outcomes. This will increase confidence in the 48% AI-disclosure figure and the count of generic-language apps. revision: yes
Circularity Check
No circularity: pure empirical measurement study
full rationale
The paper performs static APK inspection, dynamic network capture, and LLM-assisted (manually validated) policy extraction on 25 apps, then reports direct counts of trackers, contradictions, and disclosures. No equations, fitted parameters, predictions, ansatzes, or derivation chains exist. No self-citations are invoked as load-bearing uniqueness theorems or to justify methods. All claims reduce to observable outputs from the selected apps' manifests, traffic, and policy text; the analysis is self-contained against external benchmarks and contains no self-definitional or fitted-input steps.
Axiom & Free-Parameter Ledger
axioms (2)
- domain assumption Static and dynamic analysis reliably detect all embedded tracker SDKs and permission usages in the APKs.
- domain assumption The 25 popular apps form a representative sample of the mental health and life-coaching app ecosystem.
Reference graph
Works this paper leans on
-
[1]
7 Cups. Research & stats. https://www.7cups.com/about/ research-stats.php, 2026. Accessed April 2026
work page 2026
-
[2]
F. Alqahtani and R. Orji. Insights from user reviews to improve mental health apps.Health informatics journal, 26(3), 2020
work page 2020
-
[3]
American Counseling Association. ACA code of ethics. https://www.counseling.org/resources/aca-code-of- ethics.pdf, 2014. Accessed April 2026
work page 2014
-
[4]
Ethical principles of psychologists and code of conduct (2002, amended 2010 and 2017)
American Psychological Association. Ethical principles of psychologists and code of conduct (2002, amended 2010 and 2017). https://www.apa.org/ethics/code, 2017. Ac- cessed April 2026
work page 2002
- [5]
- [6]
- [7]
- [8]
-
[9]
F. F. Belz, N. J. Vega Potler, I. N. S. Johnson, and R. P. F. Wolthusen. Lessons from low- and middle-income coun- tries: Alleviating the behavioral health workforce shortage in the United States.Psychiatric Services, 75(7), 2024
work page 2024
-
[10]
S. Bradley. Replika CEO Eugenia Kuyda on launch- ing Wabi. https://www.businessinsider.com/replika-ceo- eugenia-kuyda-launch-wabi-2025-10, 2025. Accessed April 2026
work page 2025
-
[11]
Examining risks in the AI companion application ecosystem,
N.G.Brigham, L.Qin, andT.Kohno. Examiningrisksinthe AI companion application ecosystem. arXiv:2603.13620, 2026
-
[12]
Business of Apps. Headspace statistics. https://www. 14 businessofapps.com/data/headspace-statistics/, 2025. Ac- cessed April 2026
work page 2025
-
[13]
E. Coffield and K. Kausar. Evaluating user engagement with a real-time, text-based digital mental health support app: Cross-sectional, retrospective study.JMIR mHealth and uHealth, 2025
work page 2025
-
[14]
A.F.Cooper, C.A.Choquette-Choo, M.Bogen, M.Jagielski, K. Filippova, K. Liu, A. Chouldechova, J. Hayes, Y. Huang, N. Mireshghallah, et al. Machine unlearning doesn’t do what you think: Lessons for generative ai policy, research, and practice.arXiv:2412.06966, 2024
- [15]
-
[16]
A. Desnos and G. Gueguen. Androguard: Reverse en- gineering and malware analysis of Android applications. https://github.com/androguard/androguard, 2024
work page 2024
-
[17]
Z. Dong, T. Liu, J. Deng, L. Li, M. Yang, M. Wang, G. Xu, and G. Xu. Exploring covert third-party identifiers through external storage in the android new era. InUSENIX Secu- rity, pages 4535–4552, 2024
work page 2024
-
[18]
Z. Dong, L. Wang, H. Xie, G. Xu, and H. Wang. Privacy analysis of period tracking mobile apps in the post-roe v. wade era. InASE, pages 1–6, 2022
work page 2022
-
[19]
Legacy Article 29 Work- ing Party
European Data Protection Board. Legacy Article 29 Work- ing Party. https://www.edpb.europa.eu/system/files/ 2023-09/wp260rev01_en.pdf, 2023. Last Accessed April 2026
work page 2023
-
[20]
European Data Protection Supervisor. ePrivacy direc- tive. https://www.edps.europa.eu/data-protection/our- work/subjects/eprivacy-directive_en,2026. AccessedApril 2026
work page 2026
-
[21]
M. Faizullabhoy and S. Wangnoo. Mental health apps market size, forecasts report 2026–2035. https://www.gminsights.com/industry-analysis/mental- health-apps-market, Apr. 2026. Accessed April 2026
work page 2026
-
[22]
Federal Trade Commission. FTC to ban BetterHelp from revealing consumers’ data, including sensitive mental health information, to Facebook and others for targeted advertising. https://www.ftc.gov/news- events/news/press-releases/2023/03/ftc-ban-betterhelp- revealing-consumers-data-including-sensitive-mental- health-information-facebook, 2023
work page 2023
- [23]
-
[24]
A. Gorla. On the analysis of mobile apps. why is most of our research on android? InISEC, pages 1–1, 2024
work page 2024
-
[25]
for an app supposed to make its users feel better, it sure is a joke
M. R. Haque and S. Rubya. “for an app supposed to make its users feel better, it sure is a joke” an analysis of user reviews of mobile mental health applications.Proceedings of the ACM on Human-Computer Interaction, 6:1–29, 2022
work page 2022
- [26]
-
[27]
K.Huckvale, J.Torous, andM.E.Larsen. Assessmentofthe data sharing and privacy practices of smartphone apps for depression and smoking cessation.JAMA Network Open, 2(4):e192542, 2019
work page 2019
-
[28]
L. H. Iwaya, A. Ahmad, and M. A. Babar. On the privacy of mental health apps: An empirical investigation and its implications for app development.Empirical Software En- gineering, 28(1):2, 2022
work page 2022
-
[29]
B. T. Kaveladze, A. R. Wasil, J. B. Bunyi, V. Ramirez, and S. M. Schueller. User experience, engagement, and pop- ularity in mental health apps: Secondary analysis of app analytics and expert app reviews.JMIR Human Factors, 9(1):e30766, 2022
work page 2022
-
[30]
J. Kim. Data brokers and the sale of americans’ mental health data: The exchange of our most sensitive data and what it means for personal privacy. Technical report, Duke University Sanford School of Public Policy, 2023
work page 2023
-
[31]
U. Kishnani, N. Noah, S. Das, and R. Dewri. Assessing secu- rity, privacy, user interaction, and accessibility features in popular e-payment applications. InEuroUSEC, pages 143– 157, 2023
work page 2023
-
[32]
K. Kollnig, R. Binns, P. Dewitte, M. Van Kleek, G. Wang, D. Omeiza, H. Webb, and N. Shadbolt. A fait accompli? an empirical study into the absence of consent to third-party tracking in android apps. InSOUPS, pages 181–196, 2021
work page 2021
-
[33]
K. Kollnig, A. Shuba, R. Binns, M. Van Kleek, and N. Shad- bolt. Are iphones really better for privacy? comparative study of ios and android apps.arXiv:2109.13722, 2021
- [34]
- [35]
-
[36]
N. Lau, A. O’Daffer, S. Colt, J. P. Yi-Frazier, T. M. Palermo, E.McCauley, andA.R.Rosenberg. AndroidandiPhonemo- bileappsforpsychosocialwellnessandstressmanagement: Systematic search in app stores and literature review.JMIR mHealth and uHealth, 8(5):e17798, 2020
work page 2020
-
[37]
W. Liu, X. Liu, Y. Feng, K. Huang, Z. Jin, Y. Cao, Y. Liu, and Q. Liu. Wtdetect: a third-party website tracking de- tection framework for android applications.Cybersecurity, 8(1):96, 2025
work page 2025
-
[38]
J. C. Looi, S. Allison, T. Bastiampillai, P. A. Maguire, S. Kisely, S. Reutens, and R. C. Looi. Cybersecurity lessons from the Vastaamo psychotherapy data breach for psychia- trists and other mental healthcare providers.Australasian Psychiatry, 33(1):106–110, 2024
work page 2024
-
[39]
J. M. Marshall, D. A. Dunstan, and W. Bartik. Apps with maps—anxiety and depression mobile apps with evidence- based frameworks: systematic search of major app stores. JMIR mental health, 7(6), 2020
work page 2020
-
[40]
android_rules.yaml: Android static analysis rules for Mobile Security Framework (MobSF)
MobSF Project. android_rules.yaml: Android static analysis rules for Mobile Security Framework (MobSF). https://github.com/MobSF/Mobile-Security-Framework- MobSF/blob/master/mobsf/StaticAnalyzer/views/ android/rules/android_rules.yaml, 2024
work page 2024
-
[41]
appsec.py: App security score com- putation in Mobile Security Framework (MobSF)
MobSF Project. appsec.py: App security score com- putation in Mobile Security Framework (MobSF). https://github.com/MobSF/Mobile-Security-Framework- MobSF/blob/master/mobsf/StaticAnalyzer/views/ common/appsec.py, 2024
work page 2024
-
[42]
Mobilesecurityframework(MobSF):Auto- mated mobile application security testing
MobSFProject. Mobilesecurityframework(MobSF):Auto- mated mobile application security testing. https://github. 15 com/MobSF/Mobile-Security-Framework-MobSF, 2024
work page 2024
-
[43]
R. Mohamed, A. Arunasalam, H. Farrukh, J. Tong, A. Bianchi, and Z. B. Celik. ATTention please! an inves- tigation of the app tracking transparency permission. In USENIX Security, pages 5017–5034, 2024
work page 2024
- [44]
-
[45]
A. Razaghpanah, R. Nithyanand, N. Vallina-Rodriguez, S. Sundaresan, M. Allman, C. Kreibich, P. Gill, et al. Apps, trackers, privacy, and regulators: A global study of the mo- bile tracking ecosystem. InNDSS, 2018
work page 2018
-
[46]
J. Reardon, Á. Feal, P. Wijesekera, A. Elazari Bar On, N. Vallina-Rodriguez, and S. Egelman. 50 ways to leak your data: An exploration of apps’ circumvention of the android permissions system. InUSENIX Security, pages 603–620, 2019
work page 2019
-
[47]
Young people in China are embracing AI therapy
Rest of World. Young people in China are embracing AI therapy. https://restofworld.org/2025/young-people-in- china-are-embracing-ai-therapy/, 2025. Accessed April 2026
work page 2025
-
[48]
won’t somebody think of the children?
I. Reyes, P. Wijesekera, J. Reardon, A. Elazari Bar On, A. Razaghpanah, N. Vallina-Rodriguez, and S. Egelman. “won’t somebody think of the children?” examining coppa complianceatscale.ProceedingsonPrivacyEnhancingTech- nologies, (3):63–83, 2018
work page 2018
-
[49]
N. Samarin, S. Kothari, Z. Siyed, O. Bjorkman, R. Yuan, P. Wijesekera, N. Alomar, J. Fischer, C. Hoofnagle, and S.Egelman. LessonsinVCRRepair: ComplianceofAndroid App Developers with the California Consumer Privacy Act (CCPA).arXiv:2304.00944, 2023
-
[50]
N. A. Sayer, A. Kaplan, D. B. Nelson, S. W. Stirman, and C. S. Rosen. Clinician burnout and effectiveness of guideline-recommended psychotherapies.JAMA Network Open, 7(4):e246858, 2024
work page 2024
-
[51]
R. Sparrow and M. Brown. Against imaginary friends: Why digital companions are no solution to social isolation.Com- mun. ACM, page 60–68, Jan. 2026
work page 2026
-
[52]
M.A.Specter,M.Christodorescu,A.Farr,B.Ma,andR.Las- sonde. Fingerprinting sdks for mobile apps and where to find them: Understanding the market for device finger- printing. InACM CCS, pages 1275–1289, 2025
work page 2025
-
[53]
I. Starvaggi and L. Lorenzo-Luaces. Psychotherapy access barriers and interest in digital mental health interventions among adults with treatment needs: Survey study.JMIR Mental Health, 12:e65356, 2025
work page 2025
-
[54]
Mobile operating system market share worldwide
StatCounter. Mobile operating system market share worldwide. https://gs.statcounter.com/os-market-share/ mobile/worldwide, 2025
work page 2025
-
[55]
California consumer privacy act of 2018, Cal
State of California. California consumer privacy act of 2018, Cal. Civ. Code §§ 1798.100 et seq. as amended by the california privacy rights act of 2020. https:// leginfo.legislature.ca.gov/faces/codes_displayText.xhtml? division=3.&part=4.&lawCode=CIV&title=1.81.5, 2018. Last Accessed April 2026
work page 2018
-
[56]
Supreme Court of the United States. Dobbs v. Jackson Women’s Health Organization, 2022. 597 U.S. 215
work page 2022
-
[57]
J. Torous, J. Linardon, S. B. Goldberg, S. Sun, I. Bell, J. Nicholas, L. Hassan, Y. Hua, A. Milton, and J. Firth. The evolving field of digital mental health: current evidence and implementation issues for smartphone apps, genera- tive artificial intelligence, and virtual reality.World Psychi- atry, 24(2):156–174, 2025
work page 2025
-
[58]
J. Torous and L. W. Roberts. Needed innovation in digi- tal health and smartphone applications for mental health: transparency and trust.JAMA psychiatry, 74(5):437–438, 2017
work page 2017
- [59]
-
[60]
M. Wang, P. Görz, J. Schilling, K. Hassler, L. Guo, T. Holz, and A. Abbasi. Anota: Identifying business logic vulnera- bilities via annotation-based sanitization. InNDSS, 2026
work page 2026
-
[61]
M. Wessels, S. Koch, J. Drescher, L. Bettels, D. Klein, and M. Johns. HyTrack: Resurrectable and persistent track- ing across android apps and the web. InUSENIX Security, 2025
work page 2025
-
[62]
Wikipedia contributors. Vastaamo data breach. https:// en.wikipedia.org/wiki/Vastaamo_data_breach, 2026. Ac- cessed April 2026
work page 2026
-
[63]
Q. Xie, K. Ramakrishnan, and F. Li. Evaluating privacy poli- cies under modern privacy laws at scale: An LLM-Based au- tomated approach. InUSENIX Security, pages 5797–5816, 2025
work page 2025
-
[64]
S. Zimmeck, P. Story, D. Smullen, A. Ravichander, Z. Wang, J. Reidenberg, N. C. Russell, and N. Sadeh. Maps: Scaling privacy compliance analysis to a million apps.Proceedings on Privacy Enhancing Technologies, (3):66–98, 2019
work page 2019
-
[65]
S. Zimmeck, Z. Wang, L. Zou, R. Iyengar, B. Liu, F. Schaub, S. Wilson, N. Sadeh, S. M. Bellovin, and J. Reidenberg. Au- tomated analysis of privacy requirements for mobile apps. InNDSS, 2017. 16 A Detailed App Descriptions Table 9 provides extended descriptions for each app in our corpus, including the primary service model, access re- quirements, pricing...
work page 2017
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.