Published on: October 29, 2024
In today’s world, “free” apps have become an important part of our daily lives, offering convenience without any overt costs. However, these apps often have covert costs that come in the form of users’ personal data and privacy.
Many of these apps by default request extensive permissions — which begs the question, “How much data do they really need to function?” While some permissions are necessary, others may be used to track users, mine their data, and even sell their information to third parties, without any clear reason or even consent.
At Safety Detectives, we believe users should have the information they need to assess whether these permissions align with the app’s purpose or present a potential privacy risk.
To this end, we’ve examined some of the most popular apps and the permissions the apps request. Through this research, we aim to raise awareness about the hidden costs associated with free apps and the importance of data security and privacy in the digital age.
Research Context and Its Importance
In 2023, smartphone users spent 5.1 trillion hours on mobile apps. In 2020, 98% of global mobile app revenue was generated from free apps. Taken together, these numbers highlight the fact that many apps generate revenue through means other than direct sales.
While some apps, such as many social media and search engine apps, generate revenue through paid advertisements, others harvest and sell an alarming amount of user data. And these two things aren’t mutually exclusive — apps that run paid ads may also harvest user data.
Free apps, while convenient, often request permissions such as access to contacts, location, and audio. By examining these permissions and the level of access they provide to personal information, users can determine whether they are necessary for the app to function or if they are being misused for data harvesting, tracking, or sharing with third parties.
To explore this further, we grouped apps from both Android and iOS platforms into different categories like social media, utilities, gaming, and shopping. This classification enabled us to examine permission requests specific to each app type, providing deeper insights into their intended use and potential misuse of data.
The pie charts below show the distribution of apps across various categories. For apps that fell under multiple categories, the most relevant or broadest category was chosen.
Interestingly, the iOS App Store categorizes popular Google apps — such as Google, Chrome, Gmail, and Google Maps — differently than the Google Play Store. This is likely because these apps are not pre-installed on Apple devices, prompting users to search for and download them individually.
Analysis of Common Permissions Requested by Top Free Apps
Permissions are requests made by an application to access hardware or data on a user’s device. Ostensibly, the app needs these permissions to function properly, but many apps request access without an apparent cause. Users are typically asked to grant or deny requests like access to contacts or microphone when they first launch an app.
Overview of Frequently Requested Permissions
These permissions, while often essential for app functionality, can also result in extensive data collection by the app makers.
For this study, we examined common permissions requested by the top 50 apps on both platforms across various categories.
The free apps used in this study were selected based on their rankings from the Appfigures website. We focused on app listings from both Android and iOS platforms, specifically within the United States.
Selected Free Apps for Analysis
Although specific data categories collected by these apps are not detailed here, the following apps represent some of the most frequently used and downloaded applications on both platforms.
Understanding App Permissions: What Are You Really Giving Access To?
As outlined above, mobile applications often request access to features and data which can be grouped into essential permissions (like a photo editing app requiring access to photos for core functionality) and non-essential permissions (like accessing contacts for a gaming app, which may not align with the app’s primary purpose).
In the graphical representation below, users can see how free apps on both Android and iOS frequently request access to a wide range of data.
While these data types are sometimes necessary for enhancing app performance and user experience, their collection for analytics and advertising raises significant user privacy concerns.
Google’s Data Collection Framework for Apps on the Play Store
Google places the responsibility of data collection on developers of apps available on the Play Store. Before launching, developers must specify what user data is collected, how it will be used, and whether its collection is optional or necessary for the app’s core functions. Notably, Google defines data as “collected” once it is retrieved from a user’s device.
The company’s data collection framework includes 14 subdivisions which expand into a total of 37 more specific data categories. In this section, we’ve analyzed and illustrated how many of the top 50 free apps collect user data across these categories.
In addition to app interactions, crash logs, and device identifiers (over 84% (>40 apps) request access to these categories), personal information like user IDs (78%) and email addresses (72%) also rank high. This indicates that while developers mainly focus on performance-related data collection, there are potentially invasive data gathering practices.
Despite Google’s categorization of data collection practices, there are concerns regarding the lack of mandatory disclosure for data that is only processed temporarily and not stored. This lack of transparency raises questions about how Google ensures that such ephemeral data is genuinely deleted after use.
Apple’s Data Collection Framework for Apps on the App Store
Similar to Google, Apple places the responsibility on the developers for classifying their apps under its detailed categorization system. For this study, we’ll be focusing on Apple’s primary classification system, which includes three categories: Data Linked to You, Data Not Linked to You, and Data Used to Track You.
The first two categories contain subdivisions like Analytics, App Functionality, and Third-Party Advertising, while the third level encompasses a variety of data types, including Browsing History and Financial Info.
Many developers avoid categorizing their apps under tracking, and those that do tend to use Device ID and User ID, mirroring trends observed on the Play Store.
To explore the Data Linked to You category, we analyzed how apps gather data across a number of subcategories, including Analytics, App Functionality, Developer’s Advertising or Marketing, Product Personalization, Third-party Advertising, and Other Purposes.
The data categorized as Analytics reveals that 92% or 46 apps collect information on product interactions, 82% or 41 apps collect device and user ID data. Performance data, search history, and purchase history information is collected by 60% or over 30 apps. Alternatively, more sensitive data, like health information and credit details, is collected by less than 15% of the apps.
The App Functionality category highlights extensive data collection, with common data types like user (96% apps) and device ID (80% apps), email address and product interaction (84% apps). Performance data, names, coarse location, purchase history, phone numbers, and crash data are also collected by over 70% or 35 apps.
Sensitive data, including precise location, photos, videos, and payment info, is gathered by more than 50% of the apps, revealing a more invasive level of collection than we saw captured for “Analytics.” Less than 35% of apps collect audio data, and browsing history, while highly specific data, like hands and environment scanning, are rarely collected, with only 1 app collecting each.
For Advertising or Marketing, data collection practices highlight a strong focus on user identification and interaction. Over 60% of the apps collect device and user ID, email address, and product interaction information, while 48% gather purchase history and advertising data.
Less than 20% apps collect personal information like physical addresses, precise location, and contacts, suggesting a selective approach to sensitive data.
For the Other Purposes category, data collection is more limited and focuses on key user details. Around 30% or 15 apps capture user ID, while 26% or 13 apps gather device IDs. Approximately 20% or 10 apps access personal details like names, email addresses, phone numbers, and coarse location.
Details like payment info, advertising data, and other user contact info are collected by 12% of apps or 6 in total. Sensitive data like fitness, health, and sensitive information are not collected at all.
In the Product Personalization category, data collection centers around enhancing user experiences. The most commonly gathered data includes product interaction (72%), user ID (66%), and search history (64%).
Less frequently gathered data includes phone numbers (18%), sensitive info, and diagnostic data (<10%). Only of 2% apps collect information related to hands, fitness, health, or customer support, with none collecting environment scanning and credit information.
For Third-Party Advertising, the data collection revolves around user identification and interaction to boost targeted advertising. Of the 50 apps analyzed, 46% collect advertising data, 44% capture user IDs and product interactions, 40% obtain device identifiers, 38% collect coarse location details and 32% gather email addresses.
Around 12% of apps collect physical addresses, performance data, and other diagnostic information, while highly sensitive data such as credit, health, and other sensitive information are not collected at all.
Overall, we can say that extensive gathering of user-generated data highlights the growing trend of apps using personal data to increase engagement and personalization. However, while necessary for app functionality, the use of this data for analytics and advertising raises significant privacy concerns.
Do App Permissions Match Their Purpose? A Look at Functionality vs. Access
We aimed to examine how closely app permissions align with an app’s stated purpose. Our analysis focused on identifying instances in which apps request access to data or device features that seem unnecessary for their core operations.
Our analysis also focused on the potential privacy concerns and risks associated with granting these permissions.
Among the apps we reviewed, more than 75% of social networking apps request sensitive information, like physical address and financial information, indicating that their focus on collecting user data prioritizes monetization over enhancing core functionalities.
In contrast, apps like PayPal, Spotify, and Google Maps follow a different approach to data collection. Their permission requests, like access to video and payment information, are closely tied with improving user experience by enabling content sharing or facilitating transactions.
Given these insights, users should be aware of the sensitive information requested by social networking apps. For instance, data related to precise location and other sensitive personal information can endanger users’ safety and data security.
Potential Misuse of Permissions and Privacy Policies
We analyzed how free apps manage user data, from basic identifiers like device IDs to more sensitive details such as location, search history, and user-generated content. Our focus was on how these apps collect and share personal data with third parties, raising important concerns about transparency and privacy.
Similar to data collection practices, Google and Apple have frameworks outlining how developers can use the gathered data.
Google’s Data Sharing Framework for Apps on the Play Store
Developers must disclose the types of data their apps collect and share with third parties. Google considers “shared” data as information accessed by the app and transferred to third parties, though this might not apply to user-consented data.
Often, these permissions are accepted through intrusive pop-ups during app use, which users may agree to quickly without fully understanding the implications.
The following visual illustrates the 37 categories that outline this data sharing.
As seen in the graphical representation above, many free popular apps on the Play Store share a variety of user data with third parties, which, if misused, can lead to privacy and security risks.
Apple’s Data Sharing Framework for Apps on the App Store
Apple defines tracking as linking user data with third-party data for targeted advertising or measurement purposes. Tracking also includes sharing data with data brokers, except for fraud prevention or security. However, data that stays on the device and isn’t linked to the user or their device, is not considered tracking.
Most developers avoid labeling their apps as tracking-related, similar to trends on the Play Store. When tracking does occur, it commonly involves device and user IDs, while sensitive details like phone numbers, health, and fitness data is rarely collected.
In this section, we have explored the categories that typically involve the collection and sharing of data with third parties: Data Used to Track You and Data Not Linked to You.
As seen above, 50% of the apps collect device ID and 36% collect user ID details, while sensitive personal information, like health and financial data, is rarely tracked.
Note: Some sub-categories are not included here because none of the analyzed apps track data related to those areas.
Apps primarily focus on tracking diagnostic-related data to ensure smooth functionality, with over 20% collecting crash and performance data. Additionally, about 2-4% of these apps gather basic identifiers like user and device IDs, as well as information related to contacts, location, usage data, search history, environment scanning, and user-generated content.
If not handled properly, this information can result in potential security and privacy risks to users and their personal data.
Understanding Data Security Practices: A Look at Google Play Store’s Approach to Data Protection
We assessed the security measures outlined by the Google Play Store to understand how app developers handle user data. Our focus was on determining whether the reviewed apps adhere to the three key areas emphasized by Google — data encryption, independent security reviews, and data deletion requests — to protect user privacy and data.
Interesting facts in the three critical security areas outlined for app developers:
- Data Encryption: This indicates whether user data is securely transmitted. Out of 50 analyzed apps, only 4 do not encrypt data, including the widely used social platform Reddit and three games: Spin Wheel, Build a Queen, and Pizza Ready!
- Independent Security Review: Only three apps (Temu, TikTok, and Roblox) have undergone independent security audits.
- Data Deletion Requests: Users can request their data deletion in 46 of 50 apps, but Spin Wheel, Pizza Ready!, Traffic Escape!, and DoorDash do not provide this option. This is especially concerning for DoorDash, which collects sensitive data like users’ addresses and food preferences.
Our overall analysis revealed that while over 90% of the apps claim to comply with data protection measures, gaps in data sharing and security can still expose users to significant risks, including unauthorized profiling, privacy breaches, and regulatory non-compliance.
Interestingly, Apple doesn’t provide information on app security measures, leaving it unclear whether data is encrypted, the app is independently verified, or if users can request data deletion.
Curious Cases of Data Practices: Apps on Google Play Store
Our research into app permissions revealed several curious cases on the Google Play Store, where these apps claim not to collect any data but actually gather device or user ID data, along with sensitive personal user information. Some of the apps include:
The prevalence of apps that claim to prioritize user privacy while potentially compromising it highlights the need for users to critically evaluate app permissions and data practices before use.
Methodology
This research primarily relied on manual data collection, starting with the evaluation of three potential sources: Similarweb, Appfigures, and data.ai’s “State of Mobile” report. After reviewing the options, the Appfigures list was chosen for its real-time updates and inclusion in both Google Play Store and App Store rankings, despite unclear criteria behind the rankings.
The other two sources were disregarded due to their limitations. Similarweb’s ranking was based on a 28-day user activity window, while data.ai’s “Top App & Games of 2023” list was too limited. This list couldn’t be expanded to include the 40 additional apps needed for this study.
Once the Appfigures list was compiled, the focus was narrowed to top-performing apps in the US, as no global list was available — likely because app rankings are specific to individual countries. Both the Google Play and iOS stores were examined to classify the apps into relevant categories. The app rankings from May 27, 2024, were verified for accuracy against data for Spain, to ensure that they were consistent with the Google Play Store rankings.
Next, the apps were individually analyzed to identify patterns related to unnecessary permissions that could compromise user privacy as well as to uncover how free apps request excessive permissions to mine user data, often for marketing or transactional purposes. Finally, a detailed overview was created to highlight the hidden costs of these apps and their impact on individual privacy and security.
Discussion
In conclusion, the study highlights the hidden costs of using “free” apps, specifically how many apps request extensive permission that go beyond what is necessary for their core functionality.
The findings reveal concerning trends in app permissions and data practices that have significant implications for user privacy and control. Social networking apps, in particular, often request unnecessary sensitive information that is not essential for their operation, indicating a focus on data collection for monetization purposes. Additionally, the lack of clarity surrounding data-sharing practices raises important concerns about user trust and transparency.
Overall, these findings emphasize the urgent need for users to be more vigilant when evaluating app permissions and data practices. Moreover, regulatory bodies and app developers need to prioritize user privacy by establishing clear and transparent guidelines for data collection and security practices.