MyChart Unpacked

Epic Systems’ MyChart patient portal has become a cornerstone of digital health, offering patients access to records, appointments, and medication details from their smartphones. While the web version is familiar, the Android app’s underlying APK—essentially a zip archive of compiled code, resources, and a manifest—provides a deeper look into its capabilities. By unpacking the package with tools like apktool and jadx, analysts can map out every declared permission, resource, and custom URL scheme, revealing the app’s full functional blueprint without ever launching it.

One of the most striking findings from the static analysis is the presence of roughly 250 distinct deep links, each prefixed with the epicmychart:// protocol. These links allow external triggers—such as email, SMS, or QR codes—to launch the app directly to a specific screen, from medication lists to sharing interfaces. While this enhances user experience, it also creates a potential vector for phishing or unauthorized data exposure if malicious actors can craft deceptive links. Because deep links bypass typical authentication flows, any flaw in how the app validates the incoming intent could grant unintended access to sensitive health information.

The broader implication for the healthcare technology sector is clear: mobile health apps must be scrutinized not only for their front‑end features but also for the hidden pathways they expose. Static analysis, like the one performed on MyChart, is a valuable first step, but it must be complemented by dynamic testing, threat modeling, and rigorous compliance checks. As regulators tighten oversight of patient data privacy, developers should prioritize secure deep‑link handling and adopt industry‑standard best practices to safeguard the growing ecosystem of digital health services.