pith. sign in

arxiv: 2606.26276 · v3 · pith:F2UAOOECnew · submitted 2026-06-24 · 💻 cs.CR

Expecting (Targeted Ads)? Network Analysis of User Health Data Leakage in Fertility Tracking Apps

Pith reviewed 2026-07-01 06:45 UTC · model grok-4.3

classification 💻 cs.CR
keywords fertility tracking appshealth data leakagetargeted advertisingnetwork measurementAndroid privacythird-party data sharingmenstrual trackingTLS traffic analysis
0
0 comments X

The pith

Five of 20 fertility tracking apps explicitly or implicitly leak user health data to advertisers via network traffic.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper performs a network measurement study on 20 Android fertility tracking apps to examine how they share user menstrual and pregnancy data with third-party ad services. It finds explicit leakage in some apps and implicit leakage through highly targeted advertising URLs in a subset of five, while noting that other apps use ad models without apparent data sharing and several interact minimally with ads. A sympathetic reader would care because this supplies concrete technical evidence for privacy risks in apps that handle sensitive health information and shows that not all apps behave the same way. The work therefore grounds user concerns with observed traffic patterns rather than relying solely on human-factors studies.

Core claim

After cataloging features across the 20 apps and running standardized user interactions while capturing TLS-stripped network traffic, the study identifies explicit leakage of user health data in a subset of five apps together with implicit leakage through highly targeted contextual advertising URLs; at the same time it records apps that monetize via ads without detectable leakage and others that interact only minimally with ad services.

What carries the argument

TLS-stripped network traffic capture from standardized user interactions across the 20 apps, used to detect both direct data transmission and indirect leakage via targeted ad URLs.

Load-bearing premise

The standardized interactions and TLS-stripped traffic recordings in the test environment match real-world data-sharing behavior without meaningful artifacts from the setup or incomplete decryption.

What would settle it

Re-running the same interactions on the five flagged apps in a production environment with live user accounts and observing no health-data fields in the outgoing requests or ad URLs.

Figures

Figures reproduced from arXiv: 2606.26276 by Adam Bates, Brad Reaves, Camille Cobb, Mahnoor Jameel, Shahanaasree Sivakumar, Yeeun Jo.

Figure 1
Figure 1. Figure 1: Number of occurrences of each advertising [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Number of HTTP Requests by interaction session to different advertising network service types. Endpoint Role Requests Perc. Configuration 234 3% Conversion Tracking 146 2% Cookie Synchronization 60 1% Event Tracking 257 3% Get Ad 5,032 64% Impression Tracking 1,022 13% Static Content 979 13% Unclear 99 1% [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 4
Figure 4. Figure 4: Number of HTTP Requests per App and Inter [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: In BabyCenter, the getAdsUserStage function in com.babycenter.pregbaby.api.model.ChildViewModel populates the csw and us custom parameters. for brevity and because they largely self-evident given their correlation with specific interaction sessions. A.1 BabyCenter The getAdsUserStage found in com.babycenter.pregbaby. api.model.ChildViewModel is responsible for populating the csw and us. As the APK retained… view at source ↗
Figure 5
Figure 5. Figure 5: In BabyCenter, the getAdsUserStage function in com.babycenter.pregbaby.api.model.ChildViewModel populates the csw and us custom parameters. journaling feature. Setting case 8 to NULL may have been an attempt to avoid transmitting pregnancy loss to the ad network. However, since there appear to be few interaction paths where appmode=NULL, the pregnancy loss is implicitly leaked. Further, back in buildState,… view at source ↗
Figure 6
Figure 6. Figure 6: In What to Expect, numerous functions in app/src/main/java/com/whattoexpect/ad/AdManager support the construction of query parameters that leak user health data. Expect. Once again, the combination of string literals and function names provides strong evidence that these values are being constructed based on dynamic user inputs. Notably absent from the AdManager code is is explicit logic for constructing c… view at source ↗
read the original abstract

While human factors in the privacy of fertility tracking apps -- health trackers that record users' menstrual or pregnancy data -- has been the subject of extensive study, little attention has been paid to the technical aspects of apps' data handling practices. We conduct a network-based measurement study of a corpus of 20 Android fertility tracking apps from the Google Play Store, focusing on how user data is shared with third party advertising services. After systematizing app features, we conduct a series of standardized user interactions across all apps in an environment that records TLS-stripped network traffic. In a subset of apps (n=5) we identify explicit leakage of user health data as well implicit leakage through highly targeted contextual advertising URL's. Equally importantly, we observe additional apps that use an ad-based monetization model without apparent leakage of user data, as well as several apps the interact only minimally with ad services. These findings provide technical grounding for widespread user concerns, but also underscore the importance of consumer choice in the privacy implications of app-based fertility tracking.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper reports results from a network measurement study of 20 Android fertility tracking apps drawn from the Google Play Store. After systematizing app features, the authors perform standardized user interactions in a controlled environment that records TLS-stripped network traffic. They identify explicit leakage of user health data together with implicit leakage via highly targeted contextual advertising URLs in a subset of five apps; they also note additional apps that monetize via ads without apparent user-data leakage and several apps that interact only minimally with ad services.

Significance. If the traffic captures are shown to be faithful to production behavior, the work supplies concrete technical grounding for privacy concerns about fertility apps and demonstrates that not all apps in the category exhibit the same data-sharing practices. The distinction between leaking and non-leaking ad-supported apps could usefully inform user choice and future regulatory or auditing efforts in the mobile-health domain.

major comments (2)
  1. [Measurement methodology (as described in the abstract and methods narrative)] The central claim of explicit health-data leakage and implicit leakage via targeted ad URLs in n=5 apps rests on the fidelity of the TLS-stripped captures obtained under standardized interactions. The measurement description provides no evidence that certificate pinning, proxy detection, or device-signal conditioning were checked (e.g., via static analysis of the APKs, comparison runs without the MITM proxy, or confirmation that all observed ad domains were successfully decrypted). Without such validation, the observed fields and URL parameters could be artifacts of the test environment rather than production exfiltration.
  2. [Abstract and methods narrative] The abstract and methods narrative supply no sample sizes beyond the n=5 subset, no error analysis, no controls for app version or device configuration, and no quantitative criteria used to classify a URL parameter as “highly targeted contextual advertising.” These omissions make it impossible to evaluate the reproducibility or robustness of the leakage classification.
minor comments (2)
  1. [Abstract] The abstract states findings but supplies no methodological details, sample sizes, or error analysis; moving a concise methods summary into the abstract would improve readability.
  2. [Related work] The paper does not cite prior network-measurement studies of health or ad-tracking apps that used similar TLS-stripping techniques; adding such references would help situate the contribution.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their detailed and constructive review. We address each major comment below and will revise the manuscript to incorporate additional methodological details where feasible.

read point-by-point responses
  1. Referee: [Measurement methodology (as described in the abstract and methods narrative)] The central claim of explicit health-data leakage and implicit leakage via targeted ad URLs in n=5 apps rests on the fidelity of the TLS-stripped captures obtained under standardized interactions. The measurement description provides no evidence that certificate pinning, proxy detection, or device-signal conditioning were checked (e.g., via static analysis of the APKs, comparison runs without the MITM proxy, or confirmation that all observed ad domains were successfully decrypted). Without such validation, the observed fields and URL parameters could be artifacts of the test environment rather than production exfiltration.

    Authors: We acknowledge that the current methods narrative does not explicitly report validation steps for certificate pinning or proxy detection. The TLS-stripping approach followed standard practices for Android traffic analysis, and no anomalous behaviors (such as connection failures) were observed during captures. To strengthen the paper, we will add a dedicated methods subsection reporting: (1) static APK analysis results for known pinning libraries, (2) side-by-side comparison runs confirming that ad domains decrypt only under the proxy, and (3) confirmation that all reported URLs were successfully intercepted. These additions will directly address concerns about potential artifacts. revision: yes

  2. Referee: [Abstract and methods narrative] The abstract and methods narrative supply no sample sizes beyond the n=5 subset, no error analysis, no controls for app version or device configuration, and no quantitative criteria used to classify a URL parameter as “highly targeted contextual advertising.” These omissions make it impossible to evaluate the reproducibility or robustness of the leakage classification.

    Authors: We agree that greater detail on experimental parameters is needed for reproducibility. In revision we will expand the methods to specify: total interactions per app (typically 12 standardized flows), any capture variations or failure rates, device/app-version controls (single rooted device, latest Play Store versions at time of testing), and the exact quantitative criteria (e.g., presence of menstrual-cycle or pregnancy-status parameters in ad-request URLs, cross-referenced against app feature taxonomy). These additions will allow readers to assess the classification robustness. revision: yes

Circularity Check

0 steps flagged

Empirical measurement study with no derivations or equations

full rationale

This is a network measurement study that records TLS-stripped traffic from standardized app interactions and reports observed data fields and ad URLs. No equations, fitted parameters, predictions, or first-principles derivations are present, so none of the enumerated circularity patterns (self-definitional, fitted-input-called-prediction, self-citation load-bearing, etc.) can apply. The claims rest on direct traffic observations rather than any chain that reduces to its own inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Review is based solely on the abstract; no free parameters, axioms, or invented entities are described in the provided text.

pith-pipeline@v0.9.1-grok · 5729 in / 947 out tokens · 26038 ms · 2026-07-01T06:45:27.426533+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

14 extracted references

  1. [1]

    Menstruapps - how to turn your period into money (for others),

    N. Felizi and J. Varon, “Menstruapps - how to turn your period into money (for others), ” https://chupadados .codingrights.org/en/ menstruapps-como-transformar-sua-menstruacao-em-dinheiro- para-os-outros-2/, 2017

  2. [2]

    Quantifying fertility and reproduction through mobile apps: a critical overview

    V. Rizk and D. Othman, “Quantifying fertility and reproduction through mobile apps: a critical overview.”Arrow for Change, vol. 22, p. 13–21, 2016

  3. [3]

    “i did watch ‘the handmaid’s tale

    N. Mcdonald and N. Andalibi, ““i did watch ‘the handmaid’s tale”: Threat modeling privacy post-roe in the united states, ”ACM Transac- tions on Computer-Human Interaction, vol. 30, no. 4, pp. 1–34, 2023

  4. [4]

    “i deleted it after the overturn of roe v. wade

    J. Cao, H. Laabadli, C. H. Mathis, R. D. Stern, and P. Emami-Naeini, ““i deleted it after the overturn of roe v. wade”: Understanding women’s privacy concerns toward period-tracking apps in the post roe v. wade era, ” inProceedings of the 2024 CHI Conference on Human Factors in Computing Systems, 2024, pp. 1–22

  5. [5]

    Intimate data sharing: Enhancing trans- parency and control in fertility tracking,

    A. I. Hudig and J. Singh, “Intimate data sharing: Enhancing trans- parency and control in fertility tracking, ” inProceedings of the 2025 CHI Conference on Human Factors in Computing Systems, 2025, pp. 1–24

  6. [6]

    Collective privacy sensemaking on social media about period and fertility tracking post roe v. wade,

    Q. Song, R. Ma, Y. Kou, and X. Gui, “Collective privacy sensemaking on social media about period and fertility tracking post roe v. wade, ” Proceedings of the ACM on human-computer interaction, vol. 8, no. CSCW1, pp. 1–35, 2024

  7. [7]

    “our users’ privacy is paramount to us

    Q. Song, R. H. Hernandez, Y. Kou, and X. Gui, ““our users’ privacy is paramount to us”: A discourse analysis of how period and fertility tracking app companies address the roe v wade overturn, ” inPro- ceedings of the 2024 CHI Conference on Human Factors in Computing Systems, 2024, pp. 1–21

  8. [8]

    Explor- ing privacy practices of female mhealth apps in a post-roe world,

    L. M. Malki, I. Kaleva, D. Patel, M. Warner, and R. Abu-Salma, “Explor- ing privacy practices of female mhealth apps in a post-roe world, ” in Proceedings of the 2024 CHI Conference on Human Factors in Computing Systems, 2024, pp. 1–24

  9. [9]

    Unveiling privacy and security gaps in female health apps,

    M. Hassan, M. Jameel, T. Wang, and M. Bashir, “Unveiling privacy and security gaps in female health apps, ” 2025. [Online]. Available: https://arxiv.org/abs/2502.02749

  10. [10]

    OpenRTB Integration,

    G. D. Documentation, “OpenRTB Integration, ” 2026. [Online]. Avail- able: https://developers.google.com/authorized-buyers/rtb/openrtb- guide

  11. [11]

    TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones,

    W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones, ” inProceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation, ser. OSDI’10, Oct. 2010

  12. [12]

    The Government Uses Targeted Advertising to Track Your Location. Here’s What We Need to Do

    L. Cohen and H. Hongo, “The Government Uses Targeted Advertising to Track Your Location. Here’s What We Need to Do.” 2026. [Online]. Available: https://www.eff.org/deeplinks/2026/03/targeted- advertising-gives-your-location-government-just-ask-cbp

  13. [13]

    *Privacy Not Included: Reproductive Health,

    Mozilla Foundation, “*Privacy Not Included: Reproductive Health, ”

  14. [14]

    no pregnancy

    [Online]. Available: https://www .mozillafoundation.org/en/ privacynotincluded/categories/period-ovulation-trackers/ A Explicit Data Leakage Source Code Verification To verify that suspicious query parameters explicitly leaked user health data, we conducted manual review of decompiled app source code. Foreknowledge of the specific (sub)strings of interest...