How much do apps know about you? 5 ways to improve your app privacy
Whether shopping for bargains or training your brain, there’s an app for that. And your privacy matters when using them. But our latest investigation into some of the most popular apps in the UK shows that many of them place excessive demands over your data.
Our investigation also showed that most users have no clue what will happen with their data when they click download. And the exposure can be huge. In total the 20 apps we analysed interacted with 117 third-party tracking companies, including services engaged in advertising and marketing, and one app spammed us with 30 marketing emails over just one month, despite us not knowingly signing up.
Read on for full results of our investigation, and for tips on how to better safeguard your data when using apps.
News, deals and stuff the manuals don't tell you. Sign up for our Tech newsletter, it's free monthly.
Video: 5 ways to protect your in-app privacy
Find out what steps you can take to manage your data with apps.
How we feel about apps and privacy
To find out more about app use in the UK, we surveyed 2,132 people aged 18 and over. In terms of what was most important to them when it came to app usage, 91% ranked privacy as the most important, ahead of usability (90%), speed/reliability (89%) and visual appeal (77%).
When we asked about levels of concern with sharing data with certain types of apps, social media had the highest (65%), followed by shopping/online marketplace apps (54%), smart device apps (51%), and banking apps (49%).
To see whether these concerns were justified, and whether UK users are right to be wary about privacy, we chose 20 of the most popular apps in the UK, which combined, have been downloaded over 28 billion times worldwide. Working with cyber-security experts, Hexiosec, we used a bespoke testing framework* to assess privacy and security.
- Social media: WhatsApp, Facebook, YouTube, Instagram, TikTok
- Shopping: AliExpress, Vinted, Shein, Temu, Amazon
- Health & Fitness: Flo, Calm, Impulse - brain training games, Strava, My Fitness Pal
- Smart devices: Xiaomi Mi Home, Bosch Home Connect, Ring Always Home, Samsung SmartThings, Tuya Smart Life
Combined, these 20 apps requested more than 800 individual permissions on your smartphone or tablet. This included 78 deemed as ‘risky’ due to potentially invasive access involved. Some risky permissions are arguably justified as they provide functionality you want, but others less so, such as a smart device app needing your precise location to detect general water hardness in your area.
Some permissions are requested, such as microphone access and precise location, despite the company claiming that they‘re never actually used.
*Tested against a bespoke framework designed by Which?, incorporating responsibilities under data protection legislation and best practice standards, as identified by us and others (where relevant).
Ensuring a mobile phone is still getting regular updates is another important way to safeguard your data. Find out how long your phone has left with our smartphone security check.
Permissions
Permissions are how apps get access to functions of your smartphone – some are logical, others less so. With all 20 apps installed, you would grant a staggering 882 permissions.
Xiaomi’s app had the highest, at 91, followed by Samsung (82), Facebook (69) and WhatsApp (66). Some 78 of collective permissions were classified ‘risky’ under an industry standard measurement system, denoting that they give potentially invasive access to aspects of your phone.
You told us in the survey that an app knowing your precise location was among your highest concerns - well, 15 out of 20 apps wanted it.
Some of the risky permissions specifically asked you to opt in, or are arguably justified if they provide functionality you want. But others are less easy to justify, such as a smart device app needing your precise location to detect general water hardness in your area. Some permissions are requested, such as microphone access and precise location, despite the company claiming that they‘re never actually used.
| App name | Total permissions | Risky permissions | Fine/precise location | Record audio | Files on device |
| AliExpress | 50 | 6 | Y | Y | Y |
| Amazon | 48 | 4 | Y | Y | Y |
| Bosch Home Connect | 22 | 2 | Y | Y | N |
| Calm | 23 | 2 | N | N | Y |
| 69 | 6 | Y | Y | Y | |
| Flo | 45 | 1 | N | N | N |
| Impulse - Brain Training | 21 | 1 | N | N | N |
Testing conducted on Android. Permissions may vary on Apple iOS devices. Risky permission designated as it gives potentially invasive access to an aspect of your mobile device. Some permissions are perfectly legitimate due to a function you would want. A Fine location is a precise location, usually using GPS. Record audio means access to your mobile device microphone. Files on Device refers to the ‘read_external_storage’ permission.
Some risky permissions are more technical, but nonetheless potentially invasive. 16 of the apps we tested requested a permission that allows apps to create windows on top of other apps - effectively creating pop-ups on your phone even if you have said no to it sending notifications.
7 also wanted a permission that allows an app to start operating when you start your phone even if you haven't yet interacted with it. AliExpress, for example, wanted both of these permissions, but told us that they 'will not be used unless necessary'
And 4 apps requested a permission to see what other apps you have recently used or are currently running, despite being deprecated previously in Android over privacy concerns.
Find out how to get rid of annoying phone notifications.
Trackers
We also checked for trackers – first or third-party applications that monitor and collect data from your device and app, including some for advertising. Some trackers don't require consent but in certain cases, such as if it relates online advertising where cookies or other tracking technologies are used for online advertising, apps should get your consent.
The 20 apps used 117 trackers, topped by a mind-boggling 17 for brain training app, Impulse. Impulse interfaced with at least 9 marketing services, while MyFitnessPal, about which we raised some data concerns in 2021, had 15 trackers active, including five Google trackers and two Facebook, along with Amazon Ads.
Xiaomi had the most detectable trackers among the smart device apps, at eight, including three Facebook ones, one for Google, Tencent, and TikTok’s Pangle. Mental health app Calm operated eight, including four for ‘ad attribution & analytics’.
It’s hard to avoid Meta and Google - some 12 of the 20 apps had Meta trackers, and 15 had Google. TikTok’s Pangle was active on 2 (Xiaomi and TikTok).
TikTok had seven active trackers, including its own marketing network, Pangle. And AliExpress contacted servers located in China, including known advertising networks, although this was flagged in the privacy policy.
Consent
Although not the only way companies can process data, consent is an important part of privacy. In our snapshot test, no app scored higher than 7.5 out of 10.
The lowest scorer, brain training app Impulse, received just 4 out of 10 after flagging only minimal privacy information to new sign-ups. Strava, which received a consent score of just 5 out of 10 ,asked whether a new user wanted to allow the use of data to personalise their experience, the ‘accept’ button was highlighted in a bold orange colour, while the ‘decline’ option was greyed out.
Based on our assessment, we don’t think any apps are clear enough about what you’re signing up to before you press ‘accept’. A lot of apps rely on the privacy policy to inform you, yet only 16% in our survey claimed they’d read it in full.
Most apps didn’t publish a full list of third-party partners they use, although Vinted clearly stated it had a staggering 565 partners that ‘store and/or access information, eg, hashed email addresses, unique identifiers in cookies, in order to process personal data’. You can apparently reject permission for this.
Email marketing
After setting up the apps, we monitored how many potentially unwanted emails are sent. Most apps didn’t send us any, but Strava (1) and Flo (4) sent a few messages.
However, three apps sent a lot – MyFitnessPal sent 17 messages, shopping app Temu fired off 23 and AliExpress sent a staggering 30 messages, at an average of one per day over a month.
We did not see any specific permission request from AliExpress for marketing emails when we set the app up as a new customer.
Data requests
All apps require you to provide at least some data when you set up an account, usually an email address. However, some also want to know your full name and other information to sign up for an account, even if it is to use a basic service for free.
Facebook appeared to request the most data to set up an account of the apps we assessed - your first name, last name, birthday and gender. We asked Facebook what is made public by default but it did not respond.
How to improve your app privacy
Fortunately there are things you can do to shore up privacy when using apps. Follow the tips below to reduce the amount of data and permissions you're sharing.
- Limit or revoke permissions: In Apple iOS and Google Android, you can control what apps can access your data. Head to settings, and then Apps and Permissions to see what each app can access. Limit or revoke entirely, but the latter could block some app features.
- Use the settings: It’s always worth checking what additional app privacy controls you get. You can often limit some data tracking, revoke consent to certain aspects and lock down your account to some data sharing. This could help you continue to use the service more privately.
- Delete: If you aren’t sure about an app, delete it. Check the settings or privacy policy for how. And make sure all your account data is deleted, too. Periodically check unused apps on your phone, and delete them if you don't need them. Don’t give them your data for nothing in return. Some 11% of respondents in our survey had deleted an app over how it used their data.
- Check privacy information: We’re all in a rush, but it’s worth reviewing any data collection information on the app store listing, including the permissions an app will request. The Google Play store has this in a ‘Data Safety’ section, while Apple’s App Store has it in ‘App Privacy’.
- Read the privacy policy: You can find it either on the app store listing or company’s website. If you don’t want to read the whole thing (who can blame you) then focus on the sections on data collection and sharing. Also look out for useful information on how to delete your data.
For more tips, read our guide to 7 smartphone apps you need to secure right away.
What the companies said:
Meta (WhatsApp, Facebook and Instagram) said in a background statement that none of its apps ‘run the microphone in the background or have any access to it with user involvement’. It said that users must ‘explicitly approve’ in their operating system for the app to access the microphone for the first time.
TikTok said that privacy and security are ‘built into every product’ it makes. It added that TikTok ‘collects information that users choose to provide, along with data that supports things like app functionality, security, and overall user experience’.
Google/YouTube did not respond to a request for comment.
A Temu spokesperson claimed that the precise location permission is ‘used to support completing an address based on GPS location’ but it is not used in the UK market. It added: “Temu handles user data in accordance with local and international regulations and in line with leading industry practices. We remain fully committed to meeting UK regulatory requirements and to continuously improving transparency and user choice.”
Amazon said that device permissions are to provide ‘helpful features’, such as ‘the ability to visualise products in their home with their device’s camera or search for products using text-to-speech’. It added: “We also give customers clear control over personalised advertising by requesting consent when they visit our UK store and providing options to opt out or adjust preferences at any time.”AliExpress claimed that the precise location permission is not used in the UK, and the microphone permission requires user consent. It added: “We strive to create a platform where consumers can shop with confidence, knowing that their data is safeguarded in accordance with the law and our strict privacy policy. We welcome the findings from Which? as an opportunity to redouble our efforts in this area.”
Shein did not respond to a request to comment, and we were unable to find anyone to contact at Vinted.
A Flo spokesperson said: "We don’t over-collect data, and we never trade privacy for profit. Our users always remain in control of their data. Furthermore, Flo is the first and only health app with two ISO certifications in both Privacy & Security, and Anonymous Mode — setting the standard for digital health privacy.”
Strava told us that people sign up for fitness apps with a ‘specific intent and understanding’ that the ‘value stems from accessing, visualizing, and analyzing user data’. The company also noted that risky permission it takes, such as precise location, ‘allow Strava to provide the very service that our users are requesting’. It said that it has ‘implemented appropriate guardrails’ around how data is ‘collected, shared, processed, and used’.
Calm did not provide a statement for publication.
Impulse and MyFitnessPal did not respond by the deadline imposed.
A Samsung spokesperson said: "At Samsung, we recognise the importance of privacy and data protection. All our apps, including SmartThings, are designed to comply with UK data protection laws and relevant guidance from the Information Commissioner's Office (ICO). Our phones come equipped with Google's Android operating system, which by default helps protect users by giving them control over what data apps can access. We fully comply with Google's operating system policies, including SmartThings. SmartThings only uses the permissions needed for the app to function properly and deliver the best possible user experience.”
Bosch said that the trackers we detected are not used for online advertising. It said that the ‘record-audio’ permission is used for a ‘chatbot functionality’ and the user must explicitly grant permission. The precise location permission is used to connect appliances to the local network, and for a ‘detergent scan’ feature to detect water hardness in someone’s local area. Bosch said it needs user consent for this and does ‘not use this permission to track user location’.
A spokesperson added: “Consumer consent and security is of the utmost importance to us. Consumers always have control over what data is recorded and used through the Home Connect app, and these preferences can be updated by the end user at any time. Any data that is recorded with consent is only ever used in the interests of improving our product and service offering.”
Ring said that it doesn’t ‘use cookies or trackers on the Ring app for advertising’ and all permission as used to “provide user-facing features”. It added: “We design our products and services to protect our customers’ privacy and security, and to put our customers in control of their experience. We never sell their personal data, and we never stop working to keep their information safe.”
Tuya said that all identified risky permissions are used for specific smart device functions, such as voice control or video storage, and the user has to opt-in.
It said: “At Tuya, we place user data security and privacy at the heart of our product design. We’ve implemented privacy-by-design principles across our platforms, ensuring users have clear choices and control over their data. From transparent consent flows to granular permission settings, we strive to empower users while complying with data protection laws and regulations of each country and region. Our practices are aligned with international frameworks such as the GDPR, ISO 27001, and ISO 27701. We remain committed to ongoing transparency, continual improvement, and building user trust through responsible data governance.”
Xiaomi did not respond to a request for comment.
