Happtique halts app certification on data security concerns

Health app industry self-policing and ‘trusted sourcing’ credibility at stake?

Updated below. Last week, after Happtique announced its ‘Inaugural Class’ of 19 certified apps [TTA 2 Dec]–certified on their standards of operability, privacy, security and content–a young HIT software developer, Harold Smith III, discovered some major security flaws in two of them: MyNetDiary’s Diabetes Tracker and TactioHealth5. User names and passwords were stored in plain text files–not encrypted–and Mr. Smith then subjected them to a ‘man in the middle attack’ (MITM) which he explains as “…where a nefarious source intercepts your communication from the App to the server. They decrypt the SSL connection, pull out your data, and send the data on to the server.” Both failed. Worse, the ePHI (ePersonal Health Information) of both were not sent in a secured way and not stored in secure, encrypted files. After advising both companies of the problems (including one of these companies in person at the mHealth Summit), as well as Happtique, and receiving no satisfactory response after days passed, Mr. Smith went public Tuesday and Wednesday on his blog mHealth and Mobile Development. Both articles deserve careful reading. Our readers with software development background will appreciate 1) his meticulousness and 2) his ire not only at Happtique but their validator, Intertek, at the poor technical quality of their vetting; the non-techies like your Editor will appreciate the clarity of his writing.

Small blog, big impact today. Happtique has suspended its certification program (website notice) and on its website now has revised certification standards. Regarding the credibility of Mr. Smith, (more…)

Happtique certifies 19 health apps

Happtique, which started in 2011 as a health app certifier and curator, then ‘pivoted’ to what they term a “virtual marketplace and distribution platform” (?) after a major management change this spring, has mystifyingly announced the ‘Inaugural Class of 2013’ of 19 certified health apps. These presumably passed certification guidelines finalized in September 2012. But the bare list of apps and links leads this Editor to more questions. Is this meant for the clinical market as part of their mRx program? Consumer market? And how will they find out? While the apps range from the obscure (Amazing Abs) to the expected (MyNetDiary’s Diabetes Tracker) to the well-known from major names (GreatCall’s UrgentCare, which counts as two on the list), it’s hard not to feel a certain sense of underwhelm at this news: 19 out of nearly 30,000 counted by iMedical Apps [TTA 23 July] and even against the 200 listed in MyHealthApps [TTA 26 Nov]. MedCityNews’ light and oddly edited article only adds to the mystery. And Mobihealthnews reveals that the 10 companies listed paid for certification of their apps, which is not surprising, but if more than a nominal amount (application fee) very well takes away from the impression of objective certification. 

Ed. Note: Over the past three days this Editor has contacted Happtique to confirm the application fee and to generally comment on the program. As of this writing (Thursday 8:30pm NY time), no reply has been received. However, a FierceMobileHealthcare interview with then-CEO Ben Chodor gave a range of $2500-3000 to certify an app for two years, with a 30 day turnaround time.