Expecting (Targeted Ads)? Network Analysis of User Health Data Leakage in Fertility Tracking Apps
Pith reviewed 2026-07-01 06:45 UTC · model grok-4.3
The pith
Five of 20 fertility tracking apps explicitly or implicitly leak user health data to advertisers via network traffic.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
After cataloging features across the 20 apps and running standardized user interactions while capturing TLS-stripped network traffic, the study identifies explicit leakage of user health data in a subset of five apps together with implicit leakage through highly targeted contextual advertising URLs; at the same time it records apps that monetize via ads without detectable leakage and others that interact only minimally with ad services.
What carries the argument
TLS-stripped network traffic capture from standardized user interactions across the 20 apps, used to detect both direct data transmission and indirect leakage via targeted ad URLs.
Load-bearing premise
The standardized interactions and TLS-stripped traffic recordings in the test environment match real-world data-sharing behavior without meaningful artifacts from the setup or incomplete decryption.
What would settle it
Re-running the same interactions on the five flagged apps in a production environment with live user accounts and observing no health-data fields in the outgoing requests or ad URLs.
Figures
read the original abstract
While human factors in the privacy of fertility tracking apps -- health trackers that record users' menstrual or pregnancy data -- has been the subject of extensive study, little attention has been paid to the technical aspects of apps' data handling practices. We conduct a network-based measurement study of a corpus of 20 Android fertility tracking apps from the Google Play Store, focusing on how user data is shared with third party advertising services. After systematizing app features, we conduct a series of standardized user interactions across all apps in an environment that records TLS-stripped network traffic. In a subset of apps (n=5) we identify explicit leakage of user health data as well implicit leakage through highly targeted contextual advertising URL's. Equally importantly, we observe additional apps that use an ad-based monetization model without apparent leakage of user data, as well as several apps the interact only minimally with ad services. These findings provide technical grounding for widespread user concerns, but also underscore the importance of consumer choice in the privacy implications of app-based fertility tracking.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper reports results from a network measurement study of 20 Android fertility tracking apps drawn from the Google Play Store. After systematizing app features, the authors perform standardized user interactions in a controlled environment that records TLS-stripped network traffic. They identify explicit leakage of user health data together with implicit leakage via highly targeted contextual advertising URLs in a subset of five apps; they also note additional apps that monetize via ads without apparent user-data leakage and several apps that interact only minimally with ad services.
Significance. If the traffic captures are shown to be faithful to production behavior, the work supplies concrete technical grounding for privacy concerns about fertility apps and demonstrates that not all apps in the category exhibit the same data-sharing practices. The distinction between leaking and non-leaking ad-supported apps could usefully inform user choice and future regulatory or auditing efforts in the mobile-health domain.
major comments (2)
- [Measurement methodology (as described in the abstract and methods narrative)] The central claim of explicit health-data leakage and implicit leakage via targeted ad URLs in n=5 apps rests on the fidelity of the TLS-stripped captures obtained under standardized interactions. The measurement description provides no evidence that certificate pinning, proxy detection, or device-signal conditioning were checked (e.g., via static analysis of the APKs, comparison runs without the MITM proxy, or confirmation that all observed ad domains were successfully decrypted). Without such validation, the observed fields and URL parameters could be artifacts of the test environment rather than production exfiltration.
- [Abstract and methods narrative] The abstract and methods narrative supply no sample sizes beyond the n=5 subset, no error analysis, no controls for app version or device configuration, and no quantitative criteria used to classify a URL parameter as “highly targeted contextual advertising.” These omissions make it impossible to evaluate the reproducibility or robustness of the leakage classification.
minor comments (2)
- [Abstract] The abstract states findings but supplies no methodological details, sample sizes, or error analysis; moving a concise methods summary into the abstract would improve readability.
- [Related work] The paper does not cite prior network-measurement studies of health or ad-tracking apps that used similar TLS-stripping techniques; adding such references would help situate the contribution.
Simulated Author's Rebuttal
We thank the referee for their detailed and constructive review. We address each major comment below and will revise the manuscript to incorporate additional methodological details where feasible.
read point-by-point responses
-
Referee: [Measurement methodology (as described in the abstract and methods narrative)] The central claim of explicit health-data leakage and implicit leakage via targeted ad URLs in n=5 apps rests on the fidelity of the TLS-stripped captures obtained under standardized interactions. The measurement description provides no evidence that certificate pinning, proxy detection, or device-signal conditioning were checked (e.g., via static analysis of the APKs, comparison runs without the MITM proxy, or confirmation that all observed ad domains were successfully decrypted). Without such validation, the observed fields and URL parameters could be artifacts of the test environment rather than production exfiltration.
Authors: We acknowledge that the current methods narrative does not explicitly report validation steps for certificate pinning or proxy detection. The TLS-stripping approach followed standard practices for Android traffic analysis, and no anomalous behaviors (such as connection failures) were observed during captures. To strengthen the paper, we will add a dedicated methods subsection reporting: (1) static APK analysis results for known pinning libraries, (2) side-by-side comparison runs confirming that ad domains decrypt only under the proxy, and (3) confirmation that all reported URLs were successfully intercepted. These additions will directly address concerns about potential artifacts. revision: yes
-
Referee: [Abstract and methods narrative] The abstract and methods narrative supply no sample sizes beyond the n=5 subset, no error analysis, no controls for app version or device configuration, and no quantitative criteria used to classify a URL parameter as “highly targeted contextual advertising.” These omissions make it impossible to evaluate the reproducibility or robustness of the leakage classification.
Authors: We agree that greater detail on experimental parameters is needed for reproducibility. In revision we will expand the methods to specify: total interactions per app (typically 12 standardized flows), any capture variations or failure rates, device/app-version controls (single rooted device, latest Play Store versions at time of testing), and the exact quantitative criteria (e.g., presence of menstrual-cycle or pregnancy-status parameters in ad-request URLs, cross-referenced against app feature taxonomy). These additions will allow readers to assess the classification robustness. revision: yes
Circularity Check
Empirical measurement study with no derivations or equations
full rationale
This is a network measurement study that records TLS-stripped traffic from standardized app interactions and reports observed data fields and ad URLs. No equations, fitted parameters, predictions, or first-principles derivations are present, so none of the enumerated circularity patterns (self-definitional, fitted-input-called-prediction, self-citation load-bearing, etc.) can apply. The claims rest on direct traffic observations rather than any chain that reduces to its own inputs by construction.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
Menstruapps - how to turn your period into money (for others),
N. Felizi and J. Varon, “Menstruapps - how to turn your period into money (for others), ” https://chupadados .codingrights.org/en/ menstruapps-como-transformar-sua-menstruacao-em-dinheiro- para-os-outros-2/, 2017
2017
-
[2]
Quantifying fertility and reproduction through mobile apps: a critical overview
V. Rizk and D. Othman, “Quantifying fertility and reproduction through mobile apps: a critical overview.”Arrow for Change, vol. 22, p. 13–21, 2016
2016
-
[3]
“i did watch ‘the handmaid’s tale
N. Mcdonald and N. Andalibi, ““i did watch ‘the handmaid’s tale”: Threat modeling privacy post-roe in the united states, ”ACM Transac- tions on Computer-Human Interaction, vol. 30, no. 4, pp. 1–34, 2023
2023
-
[4]
“i deleted it after the overturn of roe v. wade
J. Cao, H. Laabadli, C. H. Mathis, R. D. Stern, and P. Emami-Naeini, ““i deleted it after the overturn of roe v. wade”: Understanding women’s privacy concerns toward period-tracking apps in the post roe v. wade era, ” inProceedings of the 2024 CHI Conference on Human Factors in Computing Systems, 2024, pp. 1–22
2024
-
[5]
Intimate data sharing: Enhancing trans- parency and control in fertility tracking,
A. I. Hudig and J. Singh, “Intimate data sharing: Enhancing trans- parency and control in fertility tracking, ” inProceedings of the 2025 CHI Conference on Human Factors in Computing Systems, 2025, pp. 1–24
2025
-
[6]
Collective privacy sensemaking on social media about period and fertility tracking post roe v. wade,
Q. Song, R. Ma, Y. Kou, and X. Gui, “Collective privacy sensemaking on social media about period and fertility tracking post roe v. wade, ” Proceedings of the ACM on human-computer interaction, vol. 8, no. CSCW1, pp. 1–35, 2024
2024
-
[7]
“our users’ privacy is paramount to us
Q. Song, R. H. Hernandez, Y. Kou, and X. Gui, ““our users’ privacy is paramount to us”: A discourse analysis of how period and fertility tracking app companies address the roe v wade overturn, ” inPro- ceedings of the 2024 CHI Conference on Human Factors in Computing Systems, 2024, pp. 1–21
2024
-
[8]
Explor- ing privacy practices of female mhealth apps in a post-roe world,
L. M. Malki, I. Kaleva, D. Patel, M. Warner, and R. Abu-Salma, “Explor- ing privacy practices of female mhealth apps in a post-roe world, ” in Proceedings of the 2024 CHI Conference on Human Factors in Computing Systems, 2024, pp. 1–24
2024
-
[9]
Unveiling privacy and security gaps in female health apps,
M. Hassan, M. Jameel, T. Wang, and M. Bashir, “Unveiling privacy and security gaps in female health apps, ” 2025. [Online]. Available: https://arxiv.org/abs/2502.02749
arXiv 2025
-
[10]
OpenRTB Integration,
G. D. Documentation, “OpenRTB Integration, ” 2026. [Online]. Avail- able: https://developers.google.com/authorized-buyers/rtb/openrtb- guide
2026
-
[11]
TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones,
W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones, ” inProceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation, ser. OSDI’10, Oct. 2010
2010
-
[12]
The Government Uses Targeted Advertising to Track Your Location. Here’s What We Need to Do
L. Cohen and H. Hongo, “The Government Uses Targeted Advertising to Track Your Location. Here’s What We Need to Do.” 2026. [Online]. Available: https://www.eff.org/deeplinks/2026/03/targeted- advertising-gives-your-location-government-just-ask-cbp
2026
-
[13]
*Privacy Not Included: Reproductive Health,
Mozilla Foundation, “*Privacy Not Included: Reproductive Health, ”
-
[14]
no pregnancy
[Online]. Available: https://www .mozillafoundation.org/en/ privacynotincluded/categories/period-ovulation-trackers/ A Explicit Data Leakage Source Code Verification To verify that suspicious query parameters explicitly leaked user health data, we conducted manual review of decompiled app source code. Foreknowledge of the specific (sub)strings of interest...
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.