Table 3.
Criteria for evaluation of the apps.
| Reference | Criteria | Assessment of criteria |
| Papageorgiou et al, 2018 [6] | Privacy policy: consent, user rights (ie, withdraw and portability), data protection officer, data collection, purpose, and transfer Permission and static analysis Data transmission: https, SSL (Secure Sockets Layer), and secure transmission |
Number of apps that meet the different criteria |
| Minen et al, 2018 [14] | Account functionality Data storage Privacy policy: type of information collected, data sharing, protection of minors, data access, and user rights |
Number of apps that meet the different criteria |
| Huckvale et al, 2019 [15] | Privacy policy availability Uses of data, data transfer, and data collection Mechanisms for security, how long data will be retained, cookies, user rights (ie, opt-out, consequences of not providing data, deletion, editing, and complaints), and protection of minors Identity of data controller Adherence to privacy policy |
Percentage of apps that meet the different criteria |
| Scott et al, 2015 [19] | User registration and authentication Data storing and sharing Enable users to update, correct, and delete their data Data privacy and security measures and existence of privacy policy |
Items 1-3: risk score (1 point if there is a risk); Items 4-9: safety score (1 point if it is safe) |
| Brüggemann et al, 2016 [20] | Information-sharing targets (S), information transfer (T), and information collection (U) Personal information types (P) and log-in (L) Connection security (R) |
PrivacyRiskScoreApp = TApp × w(T) + PApp × w(P) + LApp × w(L)+ SApp × w(S) + UApp × w(U) + RApp × w(R) w = weight |
| Mense et al, 2016 [21] | Use of SSL and certificate pinning Information sent and identification of third parties |
Number of apps that meet the different criteria |
| Hutton et al, 2018 [22] | Notice and awareness: data sharing, nature of data, and explanation of security measures Choice or consent: user-consent control Access or participation: user access to data Social disclosure: privacy control |
Most heuristics are valued as 0-2 (0, 1, or 2), though some have slightly different values (ie, 0/1, 0-3, or 0-4) |
| Zapata et al, 2014 [23] | Privacy policy access and updates Authentication, encryption, and security standards Access can be granted and revoked |
All six items are valued as 0, 0.5, or 1 |
| Sunyaev et al, 2015 [24] | Privacy policy availability Privacy policy features: length, readability, scope, and transparency (ie, sharing, collection, and user controls) |
Number of apps that meet the different criteria |
| Leigh et al, 2017 [25] | Data sharing Confidentiality mechanisms Privacy policy availability and content (ie, data collection, use of data, and data encryption) |
App privacy features (1-2) and privacy policy (3-8), with 1 point per question |
| Baumel et al, 2017 [26] | Data communications, storage, and sharing Notification of how personal information is kept confidential Protection of minors Anonymization |
Eight items: 1 point if the app does not include the item |
| Bachiri et al, 2018 [27] | Privacy policy location and updates Access management: permissions, audit, criteria, and authentication Security measures Consideration of the Health Insurance Portability and Accountability Act (HIPAA) |
Number of criteria that are met (35 items) |
| de las Aguas Robustillo Cortés et al, 2014 [28] | Data transmission and confidentiality Registration, purpose of use, information disclosure, and social disclosure Protection of minors and mechanisms to avoid unauthorized access Information storage |
–1 (does not meet the criterion), 0 (not applicable), or 1 (meets the criterion) |
| Quevedo-Rodríguez and Wagner, 2019 [29] | Nature and purpose of the information and data storing Information about privacy, consent, and security measures User access Protection of minors |
Compliance with items: 2 (complies), 1 (partially complies), or 0 (does not comply) |
| Knorr et al, 2015 [30] | Static and dynamic analyses and web connection Inspection of privacy policies |
General compliance with the items |
| Zapata et al, 2014 [31] | Notification: privacy policy access and updates, cookies, and use of safety standards Security: authentication, encryption, server protection, and backup copies Election and access: access can be granted and revoked and access in case of emergency |
Compliance with items: 2 (complies), 1 (partially complies), or 0 (does not comply) |
| Bondaronek et al, 2018 [32] | Privacy information: availability, accessibility, data collecting, data sharing, and data security | Number of apps that meet the different criteria |
| O’Laughlin et al, 2019 [33] | Privacy policy availability, existence of a log-in process, and identification Data storage and sharing User access: editing and deletion |
Some of the items received a white, light-grey, or dark-grey score; other items received a white or light-grey score; 1 item received a white, light-grey, or black score |
| Adhikari et al, 2014 [34] | User registration and authentication Data storing and sharing Enable users to update, correct, and delete their data Data privacy and security measures and existence of privacy policy |
Items 1-3: risk score (1 point if there is a risk); Items 4-8: safety score (1 point if it is safe) |
| Aliasgari et al, 2018 [35] | SSL configuration Data transfer and collection Compliance with the HIPAA |
HIPAA compliance or not: the authors checked if the terms and conditions indicated HIPAA compliance, or they asked the app’s support team |
| Mense et al, 2016 [36] | Encryption Data transmission |
Number of apps that meet the different criteria |
| Powell el al, 2018 [37] | Privacy policy readability: word count, sentences per paragraph, words per sentence, characters per word, average number of sentences per 100 words, average words with 6 or more characters, Flesch Reading Ease, Flesch-Kincaid Grade Level, Gunning Fog Score, SMOG (Simple Measure of Gobbledygook) Index, Coleman Liau Index, Automated Readability Index, Fry Grade Level, and Raygor Estimate Graph Grade Level | Average score, median, or range for every item comparing diabetes apps vs mental health apps |
| Huckvale et al, 2015 [38] | Privacy policy: availability and features Concordance of privacy policies and data-handling practices Coverage of privacy policy: data collection, data transfer, anonymization, how long data are retained, use of cookies, user rights (ie, opt-out, consequences of not providing data, data access, and complaints), identification of data controller, and updates |
Percentage of apps that meet the different criteria |
| Robillard et al, 2019 [39] | Collected information (ie, nature and types), use of information, and data sharing Reasons for disclosing information User rights: consent, opt-out, and deletion |
Percentage of apps that meet the different criteria |