A new report has revealed that many free smartphone apps may be putting users’ privacy at serious risk. The investigation focused on 20 widely used Android apps from categories like social media, online shopping, fitness, and smart home devices.
These apps are available for free, but they ask for access to private information that goes far beyond what is needed to function.
Popular apps ask for risky permissions
The study found that every app examined requested what experts call “risky permissions.” These include access to the user’s microphone, GPS location, stored files, and even control over other apps on the phone. Some apps ask to draw over other apps, which means they can show pop-ups over anything on the screen. Others want to activate automatically when the phone is turned on, allowing them to run in the background without the user noticing.
Xiaomi Home topped the list, asking for 91 different permissions, five of which were flagged as risky. Samsung SmartThings came next with 82 permission requests, including eight risky ones. Facebook asked for 69, and WhatsApp wanted access to 66 features.
Even TikTok and YouTube requested 41 and 47 permissions respectively, with several marked as potentially dangerous. These apps have been downloaded more than 28 billion times globally, meaning they have access to massive amounts of personal information.
The concern is that many users may not be aware of what they’re agreeing to. Since the apps are free and widely trusted, people often skip over the details and allow all requested access during installation. This gives the apps permission to collect sensitive data, including where users go, what they say, and what other apps they use.
User data shared with foreign servers
In some cases, these apps send the data they collect to servers overseas. Xiaomi Home and AliExpress transfer user data to servers in China, including information they may share with advertising networks. While both companies mention this in their privacy policies, the implications for user data safety remain unclear.
AliExpress requested six risky permissions, such as precise location, microphone access, and the ability to read phone files. In one month, the app sent users about 30 marketing emails. It did this without clearly asking for permission. Another Chinese shopping app, Temu, also faced criticism. It pushed users to accept marketing emails. Many users did not realize they were agreeing to it.
⚖️ Kiss, Click, Collapse — Coldplay Fan’s Life Upended After Online Hunt Reveals Identity
Facebook, WhatsApp, Strava, and AliExpress also request access to information about which other apps users have opened or used recently. Experts say this type of tracking rarely benefits users and is mostly used for advertising or data profiling.
Apps that ask for permission to draw over other apps or access the microphone continuously are especially concerning. Apps can use these permissions to monitor users without their knowledge or consent. In many cases, developers do not clearly explain how these features benefit the user or why they are needed at all.
What experts say and company responses
The findings show that many popular apps could be collecting far more data than users expect. While the app is promoted as free, users may be paying a hidden price by giving up control over their personal information. Even apps used for home automation or fitness tracking may be collecting details that have little to do with their main functions.
In response to the study, several companies defended their apps. Meta, which owns Facebook, Instagram, and WhatsApp, said it does not access microphones in the background without user permission. Samsung stated that its apps follow data protection laws.
TikTok said it builds privacy into every product and only collects what is needed. Strava explained that it uses location data to provide its services and claims to have strong rules in place to protect that data.
Amazon said it uses permissions for features like camera product viewing and voice search. It added that users can choose if they want personalized ads. AliExpress claimed some permissions are not used in the UK. It said users must give consent before those features are turned on. Ring said it does not use trackers for ads. It only asks for access to features that users need. Temu said its GPS features are not used in the UK. It also claimed to follow international data protection rules.
