Missing Declaration of Health Info Collection in Privacy Policy

Missing Declaration of Health Info Collection in Privacy Policy

Risk: medium

Description

The vulnerability exists in the app's failure to accurately reflect the collection of users' health information in the privacy policy, potentially leading to a breach of user privacy and data protection regulations.

Recommendation

To mitigate the vulnerability of collecting users' health information, ensure that your privacy policy clearly states the purpose and methods of collecting this sensitive data, obtain explicit consent from users before collecting any health information, and implement strong security measures to protect this data from unauthorized access or misuse. Additionally, regularly review and update your privacy policy to stay compliant with data protection regulations and best practices.

Links

• Android Privacy Guidelines
• Privacy Policies for Mobile Apps
• Apple Privacy Manifest
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• OWASP_MASVS_L1:
• OWASP_MASVS_L2:
• OWASP_MASVS_RESILIENCE:
• CWE_TOP_25:
• GDPR:
  • ART_5
  • ART_6
  • ART_7
  • ART_9
  • ART_11
  • ART_13
  • ART_15
  • ART_16
  • ART_17
  • ART_32
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_105
  • CCPA_1798_110
  • CCPA_1798_115
  • CCPA_1798_120
  • CCPA_1798_125
  • CCPA_1798_130
  • CCPA_1798_135
  • CCPA_1798_140
  • CCPA_1798_150
• PCI_STANDARDS:
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
  • MASVS_PRIVACY_3
  • MASVS_PRIVACY_4
• OWASP_ASVS_L1:
• OWASP_ASVS_L2:
• OWASP_ASVS_L3:
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3