Which? Investigates Data-Hungry Smartphone Apps

An investigation by Which? has revealed how data-hungry smartphone apps ask for shocking levels of access to your location, microphone and data.

The study evaluated 20 apps across a range of categories — including shopping, social media, health, and smart home — and featured platforms such as Facebook, TikTok, Instagram, Amazon, and AliExpress. The assessment focused on the number of permissions each app requests on Android devices, as well as how many of those are classified as “risky” due to their potentially invasive nature.  

It may come as a surprise to some, but of the 20 apps referenced within the report, Temu's ecommerce app requested just 12 permissions in total — the fewest of all apps tested. By comparison, other apps requested as many as 91 permissions, with several requiring access to the microphone and files. 

A summary of the Which? study follows, explaining the study and findings. 

A new Which? investigation has revealed how apps installed by millions of UK users demand huge amounts of user data - including asking for sometimes unnecessary access to parts of your smartphone.

Which? researchers worked with experts at cybersecurity firm Hexiosec to assess the privacy and security features of 20 popular apps, including some of the biggest names in social media, shopping and health, such as WhatsApp, Facebook, YouTube, Instagram, TikTok, Amazon and Strava. 

Separately, the consumer champion also carried out a nationally representative survey of over 2,000 adults to assess what people consider most important when downloading and engaging with apps. 

Combined, the 20 apps Which? examined have been downloaded over 28 billion times worldwide. Their popularity is such that most UK consumers are likely to have at least a handful of these on their phones at any given time, and if a person were to have all 20 downloaded, they would grant a staggering 882 permissions - potentially giving access to huge amounts of an individual’s personal data.

Of these 882 permissions, 78 are considered risky on an industry standard grading scale - including those that access your microphone, can read files on your device, or see your ‘fine’ (precise) location. This data is a valuable commodity for advertisers, and it may be possible for firms to target users with uncannily accurate ads as a result. However, some apps specifically asked your consent before using these permissions, including risky permissions. 

Location is one of people’s biggest privacy concerns according to Which?’s survey – two thirds (66%) would be concerned about an app collecting a phone’s precise location (typically based on GPS location, accurate to within 5 metres), yet 15 out of 20 apps Which? tested wanted access to this. 

Additionally, 15 wanted access to files on the device, and 14 wanted permission to access the microphone. 

Some risky permissions related to more technical aspects of your phone, but nonetheless are potentially invasive. Sixteen of the 20 apps Which? tested requested a permission that allows apps to create windows on top of other apps - effectively creating pop-ups on your phone even if you opted out of the app sending notifications. 

Seven also wanted a permission that allows an app to start operating when you open your phone even if you haven't yet interacted with it.

While in some cases there are clear uses for ‘risky’ permissions - for example the likes of WhatsApp or Ring Doorbell may need microphone access in order to carry out certain functions - in other examples the need for risky permissions was less clear cut. 

For example, four apps - AliExpress, Facebook, Strava and WhatsApp - requested permission to see what other apps you have recently used or are currently running, despite Android previously removing access to this over privacy concerns.

Bosch, meanwhile, requests users’ precise location to detect water hardness in the local area, when arguably the general geographic area, known as ‘coarse location’, might suffice. Bosch told Which? that water hardness can vary by street so a coarse location may not give the most accurate result, and this feature requires the user to opt-in first.

Which? also came across examples of apps asking for permission they claim not to use in the UK market. For example, AliExpress requested six risky permissions such as fine location, access to microphones and reading files on the device. However, it said find location is not used in the UK market, and said two further risky permissions would only be used if 'necessary'.

As part of its tests, Which? also developed a bespoke framework to assess consent - a key component of data protection. This enabled researchers to give each app a score out of 10 for consent.

Of the four categories Which? looked at (shopping, social media, health & fitness, smart devices), health and fitness had the lowest overall score for consent, scoring just 5.6 out of 10. This was largely pulled down by brain training app Impulse (4/10) and running aid Strava (5/10). 

Impulse barely flagged any privacy information on sign up. Strava meanwhile used what researchers felt was a dubious design to nudge users to consent - the ‘agree’ button was highlighted bright orange, while the ‘disagree’ option was greyed out. 

Shopping apps meanwhile came in a close second from bottom, with an average consent score of just 5.9 out of 10, pulled down by AliExpress (4.5/10), and Temu (5/10).

Researchers noted some red flags when it came to using AliExpress, with the privacy policy information, in Which?’s view, easily missed during set up.

Separately, it also bombarded users with a deluge of marketing emails after download. The app sent a staggering 30 messages, at an average of one per day over the course of a month - the highest number of the 20 apps Which? examined. Worryingly, researchers did not see any specific permission request from AliExpress for marketing emails when they set the app up as a new customer. 

AliExpress was also one of two apps (alongside smart device app Xiaomi) to send data to China, including to suspected advertising networks - although this was flagged in the privacy policy.

Temu meanwhile gave a heavy push to sign up to email marketing - and researchers felt a user could easily agree without realising. Altogether it sent 23 marketing emails in 30 days - the second highest number on test. 

While social media (6.9/10) and smart device apps (7/10) performed better for consent on the whole, Which?’s tests nonetheless found no app was fully transparent in how it handled getting consent.

Among social media apps, Facebook was arguably the most keen for user data - it wanted the highest number of permissions (69 in total, of which 6 are considered risky), followed by stablemate WhatsApp (66 altogether, and 6 risky).

It was also the social media app with the highest number of trackers, placing nine in total. The majority were its own, along with Google Analytics and a mapping service. Facebook also requested the most data to set up an account, including first name, last name, birthday and gender. Which? asked what information is made public by default, but did not get a response. 

TikTok meanwhile asked for 41 permissions, including three risky ones - these included the ability to record audio and view files on the device.

Smart devices apps meanwhile were among the most data hungry of all the categories Which? looked at, with Xiaomi and Samsung asking for the highest numbers of permissions overall (91 and 82 permissions respectively).

Which? previously raised concerns about privacy with smart device apps last year, and has also been working with the Information Commissioner’s Office (ICO), the UK’s data protection regulator, on its new Code of Practice for how brands should handle data. 

Apps and Permissions

Source : Which?

Testing conducted on Android. Permissions may vary on Apple iOS devices. Risky permission designated as it gives potentially invasive access to an aspect of your mobile device. Some permissions are perfectly legitimate due to a function you would want. A Fine location is a precise location, usually using GPS. Record audio means access to your mobile device microphone. Files on Device refers to the ‘read_external_storage’ permission. 

Harry Rose, Editor of Which?, said:

“Millions of us rely on apps each day to help with everything from keeping on top of our health and fitness to doing online shopping. While many of these apps appear to be free to use, our research has shown how users are in fact paying with their data - often in scarily vast quantities.

“While it’s easy to quickly skim a privacy policy and tick ‘yes’ on autopilot, our research underscores why it’s so important to check what you’re agreeing to when you download a new app.”

Which? has previously raised concerns about privacy and smart apps. Read its previous investigation here and find out more about the ICO Code of Practice here.

Source : Which?

Image : Hodim / Shutterstock / 1973260124<!--EndFragment-->

For all the very latest news and intelligence on the UK's largest home improvement and garden retailers, sign up for the Insight DIY weekly newsletter.