Security analysis of menstruation cycle tracking applications using static, dynamic and machine learning techniques

There have been many incidents in the past, where user's private information, health and vitals, shared to a mobile app have been disclosed. In this paper, we consider Menstruation Cycle Tracking Android apps, and analyse their security features to understand if the app developers have taken adequate care to avoid such incidents of breach or disclosure. These apps store extremely personal information of women and need to take security very seriously. We have initially applied Static Analysis techniques on these apps, and understood the various loopholes from the developer's prospective. Moreover, we used Dynamic Analysis techniques to further scrutinise the apps and exploit the discovered vulnerabilities. We found many apps are not observant in implementing minimal security features. Further, we propose a machine learning based-Ranking and Extraction of Android Permissions (REAP) framework, where we extract the permissions of these apps and apply Classification and Clustering algorithms to aid in identifying apps that are seeking more permissions and are potentially more risky. Classification accuracy of 94.52% was achieved using Naive Bayes classifier. Menstruation cycle tracking apps carry extremely private information, however, the app developers, sometimes, fail to provide a secure environment to the end-users.