The popular apps that are SPYING on you: Cybersecurity experts issue urgent warning over 'data hungry' apps that can access your location, microphone and data
But according to a new investigation, 'data hungry' smartphone apps like Facebook and Instagram ask for 'shocking' levels of access to your personal data.
Experts at consumer champion Which? investigated 20 popular apps across social media, online shopping, fitness and smart home categories.
They found all of them ask for 'risky' permissions such as access to your location, microphone, and files on your device – even when they don't need to.
The experts urge people to be more careful about what exactly we agree to when we download an app and mindlessly agree to permissions.
We could be compromising our privacy when we hastily tap 'agree'.
'Millions of us rely on apps each day to help with everything from keeping on top of our health and fitness to doing online shopping,' said Harry Rose, editor of Which?
'While many of these apps appear to be free to use, our research has shown how users are in fact paying with their data – often in scarily vast quantities.'
Which? researchers worked with experts at cybersecurity firm Hexiosec to assess the privacy and security features of 20 popular apps on an Android handset.
The list included some of the biggest names in social media (including WhatsApp, Facebook, Instagram, TikTok), online shopping (Amazon, AliExpress) the smart home (Samsung Smart Things, Ring Doorbell) and fitness (Strava).
Combined, the 20 apps have been downloaded over 28 billion times worldwide – meaning the average UK adult is likely to have several of them on their phone at any given time.
If someone were to have all 20 downloaded on their device, collectively they would grant a staggering 882 permissions – potentially giving access to huge amounts of an individual's personal data.
Overall, the team found Chinese app Xiaomi Home asked for a total of 91 permissions – more than any other app in the study – five of which are described as 'risky'.
Risky permissions include those that access your microphone, can read files on your device, or see your precise location (usually referred to as 'fine location').
Such data is a valuable commodity and may allow firms to target users with 'uncannily accurate adverts'.
Samsung's Smart Things app asked for 82 permissions (of which eight are risky), followed by Facebook (69 permissions, six risky) and WhatsApp (66 permissions, six risky).
Overall, Xiaomi asked for a total of 91 permissions - more than any other app in the study - five of which described as 'risky'
Xiaomi Home was also one of two apps (alongside AliExpress) to send data to China, including to suspected advertising networks – although this was flagged in the privacy policy by both.
Ali Express requested six risky permissions such as precise location, access to microphones and reading files on the device.
AliExpress also bombarded users with a deluge of marketing emails after download (30 over the course of a month) but the researchers did not see any specific permission request from AliExpress to do so.
Temu, another Chinese-owned online marketplace, also gave a heavy push to sign up to email marketing – which many users could easily agree to without realising, the experts reasoned.
Among social media apps, Facebook was 'the most keen for user data' as it wanted the highest number of permissions (69 in total, six of which risky), followed by WhatsApp (66 altogether, six of which risky).
TikTok, meanwhile, asked for 41 permissions, including three risky ones, including the ability to record audio and view files on the device, while YouTube asked for 47 permissions, four of which were 'risky'.
Overall, 16 of the 20 apps requested a permission that allows apps to create windows on top of other apps – effectively creating pop-ups on your phone, even if you opted out of the app sending notifications.
Seven also wanted a permission that allows an app to start operating when you open your phone even if you haven't yet interacted with it.
In some cases there are clear uses for risky permissions – for example the likes of WhatsApp or Ring Doorbell may need microphone access in order to carry out certain functions.
But other examples the need for risky permissions was less clear cut, according to Which?
For example, four apps – AliExpress, Facebook, WhatsApp and Strava – requested permission to see what other apps recently used or currently running.
The researchers stress that the investigation was conducted on an Android phone and that permissions may vary on Apple iOS devices.
But we should all be more careful of tapping "yes" to permissions while mentally on 'autopilot' without really being aware of what we're agreeing to, Mr Rose said.
'Our research underscores why it's so important to check what you're agreeing to when you download a new app,' he added.
The full findings can be read on the Which? website.
In response to the findings, Meta (which owns WhatsApp, Facebook and Instagram) said none of its apps 'run the microphone in the background or have any access to it without user involvement'.
Meta also said that users must 'explicitly approve' in their operating system for the app to access the microphone for the first time.
A Samsung spokesperson said: 'All our apps, including SmartThings, are designed to comply with UK data protection laws and relevant guidance from the Information Commissioner's Office (ICO).'
Meanwhile, TikTok said that privacy and security are 'built into every product' it makes. It added: TikTok 'collects information that users choose to provide, along with data that supports things like app functionality, security, and overall user experience'.
Strava said that risky permission it takes, such as precise location, allow it to 'provide the very service that our users are requesting'. It said that it has 'implemented appropriate guardrails' around how data is 'collected, shared, processed, and used'.
Amazon said that device permissions are to provide 'helpful features', such as 'the ability to visualise products in their home with their device's camera or search for products using text-to-speech'. It added: 'We also give customers clear control over personalised advertising by requesting consent when they visit our UK store and providing options to opt out or adjust preferences at any time.'
AliExpress claimed that the precise location permission is not used in the UK, and the microphone permission requires user consent. It added: 'We strive to create a platform where consumers can shop with confidence, knowing that their data is safeguarded in accordance with the law and our strict privacy policy. We welcome the findings from Which? as an opportunity to redouble our efforts in this area.'
Ring said that it doesn't 'use cookies or trackers on the Ring app for advertising' and all permission as used to 'provide user-facing features'. It added: 'We design our products and services to protect our customers' privacy and security, and to put our customers in control of their experience. We never sell their personal data, and we never stop working to keep their information safe.'
A Temu spokesperson said precise location permission is 'used to support completing an address based on GPS location' but it is not used in the UK market, adding that it 'handles user data in accordance with local and international regulations and in line with leading industry practices'.
Google (representing YouTube), Xiaomi, Impulse and MyFitnessPal did not respond to requests for comment.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Reuters
26 minutes ago
- Reuters
Pinterest beats revenue estimates as AI tools drive ad spend
Aug 7 (Reuters) - Pinterest (PINS.N), opens new tab beat analysts' estimates for second-quarter revenue on Thursday, as increased marketing spend on the platform was fueled by its artificial intelligence-powered advertising tools. However, shares of the company fell around 8.2% in extended trading. The stock has risen about 35% so far this year. The social media platform's rapid growth among Gen Z users—who now represent more than half of its user base—combined with the AI-powered tools for personalized and automated campaigns, has made the platform attractive to advertisers. Pinterest's results follow Meta (META.O), opens new tab and Reddit's (RDDT.N), opens new tab strong second quarter performance last week. In contrast, Snap (SNAP.N), opens new tab reported its slowest quarterly revenue growth in over a year. The company's focus on direct-response ads, designed to prompt specific actions like shopping, app downloads, or website visits, continued to drive ad demand. "We've found our best product market fit ever by becoming a personalized shopping destination for users and an AI-powered performance platform for advertisers," CEO Bill Ready said in a statement. Pinterest has third-party ad deals with Google (GOOGL.O), opens new tab, (AMZN.O), opens new tab and advertising platform Magnite (MGNI.O), opens new tab. Revenue for the second-quarter grew 17% to $998.2 million, beating analysts' average estimate of $974.8 million, according to data compiled by LSEG. Global monthly active users on the platform rose 11% to 578 million, exceeding estimates of 553 million. Pinterest expects third quarter revenue to be between $1.03 billion and $1.05 billion, compared with estimates of $1.03 billion.
Reuters
an hour ago
- Reuters
Block raises annual profit forecast on resilient consumer spending
Aug 7 (Reuters) - Block (XYZ.N), opens new tab reported a rise in second-quarter operating income on Thursday and raised its expectations for full-year gross profit, as the payments firm was helped by resilient consumer spending. Businesses and individuals have continued to spend on essential products, even as they have cut back on discretionary expenses amid macroeconomic uncertainty. The Jack Dorsey-led firm now expects 2025 gross profit of $10.17 billion, up from the $9.96 billion it forecast earlier. Its Cash App, which enables peer-to-peer mobile payments, reported a gross profit growth of about 16% in the second quarter ended June 30. This was slower than the 23% growth it reported in the year-ago period. On an adjusted basis, the company reported net profit of $385 million, or 62 cents per share, in the second quarter, compared with $301 million, or 47 cents per share, in the year-ago period. Shares of Block have lost nearly 10% in 2025 due to market volatility and a profit forecast cut, significantly underperforming the broader market.
The Guardian
2 hours ago
- The Guardian
New all-electric town in Kent strikes deal to supply power back to the grid
One of Britain's first all-electric towns to be built with almost no reliance on fossil fuels could soon help to power the grid with renewable energy. The developers of a new garden town in Kent have struck a deal with a leading energy infrastructure company to design and operate a 'smart' energy grid, which could mean its 8,500 households act as a virtual power plant for the rest of the country. Those moving into the Otterpool Park development from 2027 will live in homes equipped with electric hobs, heating systems and electric vehicle chargers – as well as rooftop solar panels and batteries to power their fossil fuel free households. In addition, developers hope to build a solar farm on the council-owned land adjacent to the town, which would generate enough electricity to meet half the town's electricity needs. In total, the town will have about 34 megawatts of renewable energy capacity, and one communal grid-scale battery for every 300 homes, meaning its residents will be able to make 'significant savings on their energy bills from day one', according to SNRG, the infrastructure company behind the plans. The town's on site electricity sources will also mean that its developers can avoid paying for significant grid reinforcements to connect the National Grid, which is a major source of delay for around a third of housing developments, according to property experts Knight Frank. The all-electric town will still draw from Britain's power grid to meet its electricity needs – particularly during the gloomier winter months – but when parts of the National Grid need extra electricity, Otterpool Park will help keep the lights on. Dan Nicholls, the chief product officer at SNRG, said the micro grid would coordinate all the electricity devices and generation sources to use as much local solar power as possible while minimising the cost of importing electricity from the National Grid. Sign up to Down to Earth The planet's most important stories. Get all the week's environment news - the good, the bad and the essential after newsletter promotion The cumulative impact of pausing the town's car chargers for a matter of seconds could save enough electricity to help the National System Operator manage a shortfall of power in another part of the National Grid, according to Nicholls. 'No one single [electric vehicle] charger could create this impact – but reducing the charge for a few seconds on every charger could create an aggregated benefit. A small contribution from each charger creates a big saving for the grid,' he said. SNRG is pursuing other similar projects across the country, but Otterpool is the most advanced, Nicholls added. Jim Martin, the leader of Folkestone and Hythe district council, described the plans as 'a perfect example of what can be delivered using renewable energy and reducing carbon emissions'. 'While the solar park is subject to a planning application, which will of course enable the public to give their views and allow further scrutiny by councillors, the prospect of generating green power on land already owned by the council and at no cost to local taxpayers is very attractive,' he said.
