'Free' apps, costly privacy: Experts warn of data-hungry downloads
The study, conducted with cybersecurity experts from Hexiosec, analyzed 20 popular Android apps spanning social media, online shopping, smart home, and fitness categories. The findings reveal that all of them requested "risky" permissions—such as access to users' microphone, location, and device files—raising significant privacy concerns.
While apps like Facebook, Instagram, TikTok, Amazon, and WhatsApp are marketed as free, Which? warns that users are often paying with their personal information. 'Millions of us rely on apps each day for everything from health tracking to shopping,' said Harry Rose, editor of Which? 'But our research shows that users may be surrendering vast amounts of data—often unknowingly.'
Together, the 20 apps have been downloaded more than 28 billion times globally. If installed on one device, these apps would collectively request 882 permissions. Among these, Xiaomi Home requested the highest number — 91 permissions in total, five of which were flagged as risky.
Risky permissions include those that allow apps to record audio, access precise GPS location, read internal files, or even overlay content on top of other apps—often without any clear user benefit.
Samsung's SmartThings app followed with 82 requested permissions (eight risky), with Facebook demanding 69 (six risky), and WhatsApp asking for 66 (six risky).
The apps that sought permission to draw over other apps—creating pop-ups—and those that activate when a phone is turned on, were also cause for concern. TikTok, for instance, requested 41 permissions (three risky), and YouTube sought 47 (four risky).
Xiaomi Home and AliExpress were the only two apps found to send user data to servers in China, including suspected advertising networks. While this was disclosed in both apps' privacy policies, experts noted the potential implications for user data security.
AliExpress requested six risky permissions, including precise location, microphone access, and file reading. It also sent users an overwhelming 30 promotional emails within a month, despite no specific permission request for email marketing.
Temu, another Chinese online retailer, was criticized for aggressively pushing users into subscribing to marketing emails—often without them realizing it.
The Which? team advised consumers to take several steps to safeguard their privacy:
Review privacy info: Check what data an app collects before downloading it via the app store listing.n
Read the privacy policy: Focus especially on sections detailing data collection and sharing.n
Limit or revoke permissions: On both Android and iOS, users can manage what data apps can access through Settings.n
Delete apps you don't trust: Uninstall apps you're unsure about, and make sure all associated account data is deleted.n
Some apps, like Ring and WhatsApp, may require microphone access for core functionality. However, the necessity of certain permissions—like tracking which apps are open or recently used—is questionable, the experts said.
Apps including Facebook, WhatsApp, AliExpress, and Strava were found to seek such permissions.
The research was conducted using Android devices; permission settings may differ for Apple iOS users.
In response to the findings:
Meta (owner of Facebook, Instagram, and WhatsApp) claimed none of its apps access microphones in the background without user consent.n
Samsung stated that all its apps comply with UK data protection laws and ICO guidance.n
TikTok emphasized that privacy and security are 'built into every product' and that it collects only essential information.n
Strava defended its use of precise location data as necessary to deliver its services, adding that it employs 'appropriate guardrails' for data usage.n
Amazon said its permissions enable features like visualizing products using the camera and voice search, with users having control over personalized ads.n
AliExpress stated that certain permissions are not used in the UK and require user consent, asserting compliance with privacy laws.n
Ring maintained that it doesn't use trackers for advertising and only uses permissions to enable features requested by users.n
Temu said GPS-based address completion is not used in the UK and that it handles user data in accordance with international standards.n
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Kuwait Times
a day ago
- Kuwait Times
Microsoft warns Chinese hackers targeting customers
SAN FRANCISCO: Chinese state-sponsored hackers are actively exploiting critical security vulnerabilities in users of Microsoft's popular SharePoint servers to steal sensitive data and deploy malicious code, the US tech giant warned Tuesday. Microsoft said it has observed three threat groups—dubbed Linen Typhoon, Violet Typhoon, and Storm-2603 –- targeting internet-facing SharePoint servers using two newly disclosed vulnerabilities that allow attackers to bypass authentication and execute remote code. SharePoint Server is Microsoft's collaboration and document management platform designed for businesses and organizations. Many large organizations use SharePoint as their primary platform for internal collaboration and for storing documents, and is appreciated for working well with other Microsoft products like Office, Teams, and Outlook. The attacks, which Microsoft said began as early as July 7, affect only on-premises SharePoint installations and do not impact the cloud-based SharePoint Online service, the company said in a security bulletin. Microsoft warned that it 'assesses with high confidence' that the threat actors will continue their assault against vulnerable systems where companies haven't taken the necessary precautions. The vulnerabilities allow attackers to spoof authentication credentials and execute malicious code remotely on vulnerable servers. Microsoft has released comprehensive security updates to address the malware and urged customers to apply the patches immediately. In their successful attacks, the Chinese hackers deployed malicious code that provides backdoor access to compromised systems. The attackers used these tools to steal machine encryption keys and maintain access to targeted networks. Linen Typhoon, active since 2012, primarily focuses on intellectual property theft from government, defense, and human rights organizations. Violet Typhoon, operating since 2015, conducts espionage against former government officials, NGOs, think tanks, and media organizations across the United States, Europe, and East Asia. Storm-2603, which Microsoft assesses with 'medium confidence' to be China-based, has previously deployed ransomware but its current objectives remain unclear. Research from cybersecurity company Check Point said the campaign began on July 7 against a major Western government and that the attacks intensified dramatically around July 18. Since then, researchers have confirmed dozens of compromise attempts primarily targeting organizations in North America and Western Europe, Check Point said in a blog post. –AFP
Arab Times
3 days ago
- Arab Times
'Free' apps, costly privacy: Experts warn of data-hungry downloads
NEW YORK, July 22: Some of the world's most widely used smartphone apps have come under scrutiny for demanding extensive access to personal data, often beyond what's necessary for basic functionality, according to a new investigation by consumer watchdog Which? The study, conducted with cybersecurity experts from Hexiosec, analyzed 20 popular Android apps spanning social media, online shopping, smart home, and fitness categories. The findings reveal that all of them requested "risky" permissions—such as access to users' microphone, location, and device files—raising significant privacy concerns. While apps like Facebook, Instagram, TikTok, Amazon, and WhatsApp are marketed as free, Which? warns that users are often paying with their personal information. 'Millions of us rely on apps each day for everything from health tracking to shopping,' said Harry Rose, editor of Which? 'But our research shows that users may be surrendering vast amounts of data—often unknowingly.' Together, the 20 apps have been downloaded more than 28 billion times globally. If installed on one device, these apps would collectively request 882 permissions. Among these, Xiaomi Home requested the highest number — 91 permissions in total, five of which were flagged as risky. Risky permissions include those that allow apps to record audio, access precise GPS location, read internal files, or even overlay content on top of other apps—often without any clear user benefit. Samsung's SmartThings app followed with 82 requested permissions (eight risky), with Facebook demanding 69 (six risky), and WhatsApp asking for 66 (six risky). The apps that sought permission to draw over other apps—creating pop-ups—and those that activate when a phone is turned on, were also cause for concern. TikTok, for instance, requested 41 permissions (three risky), and YouTube sought 47 (four risky). Xiaomi Home and AliExpress were the only two apps found to send user data to servers in China, including suspected advertising networks. While this was disclosed in both apps' privacy policies, experts noted the potential implications for user data security. AliExpress requested six risky permissions, including precise location, microphone access, and file reading. It also sent users an overwhelming 30 promotional emails within a month, despite no specific permission request for email marketing. Temu, another Chinese online retailer, was criticized for aggressively pushing users into subscribing to marketing emails—often without them realizing it. The Which? team advised consumers to take several steps to safeguard their privacy: Review privacy info: Check what data an app collects before downloading it via the app store listing.n Read the privacy policy: Focus especially on sections detailing data collection and sharing.n Limit or revoke permissions: On both Android and iOS, users can manage what data apps can access through Settings.n Delete apps you don't trust: Uninstall apps you're unsure about, and make sure all associated account data is deleted.n Some apps, like Ring and WhatsApp, may require microphone access for core functionality. However, the necessity of certain permissions—like tracking which apps are open or recently used—is questionable, the experts said. Apps including Facebook, WhatsApp, AliExpress, and Strava were found to seek such permissions. The research was conducted using Android devices; permission settings may differ for Apple iOS users. In response to the findings: Meta (owner of Facebook, Instagram, and WhatsApp) claimed none of its apps access microphones in the background without user consent.n Samsung stated that all its apps comply with UK data protection laws and ICO guidance.n TikTok emphasized that privacy and security are 'built into every product' and that it collects only essential information.n Strava defended its use of precise location data as necessary to deliver its services, adding that it employs 'appropriate guardrails' for data usage.n Amazon said its permissions enable features like visualizing products using the camera and voice search, with users having control over personalized ads.n AliExpress stated that certain permissions are not used in the UK and require user consent, asserting compliance with privacy laws.n Ring maintained that it doesn't use trackers for advertising and only uses permissions to enable features requested by users.n Temu said GPS-based address completion is not used in the UK and that it handles user data in accordance with international standards.n
Arab Times
6 days ago
- Arab Times
Facebook deletes millions of accounts in 2025 content protection effort
NEW YORK, July 20: In a sweeping effort to bolster platform integrity, Meta has confirmed the deletion of approximately 10 million Facebook accounts in the first half of 2025, targeting impersonators and spammy profiles in what some are calling the company's largest account purge to date. The move comes amid a broader trend of major tech platforms tightening account management, with Google and Samsung previously issuing deletion warnings for inactive users. However, Facebook's actions differ significantly — targeting active accounts linked to impersonation, fake engagement, and spam. A July 14 announcement on the Facebook Creators blog detailed the rationale behind the mass removals, stating: 'We believe that creators should be celebrated for their unique voices and perspectives, not drowned out by copycats and impersonators.' The announcement referenced ongoing threats across digital platforms, including impersonation scams, which have affected users across services like Amazon Prime. Meta said its crackdown is part of a commitment to ensure original content is visible and rewarded. Since January, Meta said it has removed approximately 10 million fake accounts impersonating popular content creators. An additional 500,000 accounts engaged in spam or fake engagement saw their reach reduced, comments demoted, and monetization suspended. 'Facebook aims to be a place where original content thrives,' the company emphasized. 'We will continue taking action to protect creators and the broader community.' Following Meta's blog post, social media lit up with complaints from users alleging that their accounts were wrongly deleted. 'I strongly believe this purge, while framed as a safety measure, is sweeping up innocent people and branding them as criminals without recourse or transparency,' one user wrote. Another advised searching terms like 'Meta ban wave' on Reddit, TikTok, or Twitter, pointing to hundreds of reports of legitimate Facebook and Instagram accounts being disabled without warning. While Meta has acknowledged a 'technical error' affecting Facebook Groups, it maintains there is no evidence of widespread erroneous enforcement across its platforms. A Meta spokesperson stated: 'We take action on accounts that violate our policies, and people can appeal if they think we've made a mistake.' The company confirmed that AI is used in the content moderation process, but rejected claims that artificial intelligence was wrongly flagging large volumes of user accounts. For many users, particularly creators and public figures vulnerable to impersonation, the purge has been seen as a positive move toward a safer, more trustworthy online environment. However, the growing number of complaints from regular users caught in the crossfire is prompting questions about transparency and the limits of automated enforcement.
