New Year’s Resolution or Data Distribution – are resolution apps sharing your data?
With one in three New Year’s resolutions failing because people can’t keep track of them1, it’s no wonder many turn to apps as a solution. Though these apps may help you keep your resolutions, they don’t come without consequences.
Our researchers looked at 344 New Year’s resolution apps on the Google Play Store across 16 categories and gave each of them a privacy risk score. We then compared them based on these scores to determine which specific New Year’s resolutions apps and app categories have the greatest potential to negatively affect your digital health and privacy.
If you were planning on losing weight next year, for example, you’ll have to be extra careful.
- The least private New Year’s resolution category is weight loss, with the highest average privacy risk score of 56.2 (48.5% higher than the average across all apps).
- The category with the second-highest privacy risk is home decoration/renovation with a score of 50.5.
- The category with the third-highest privacy risk is exercise, with a score of 49.6.
- The most private New Year’s resolution category is quitting smoking, with the lowest average privacy risk score of 23.3 (38.4% lower than the average across all apps).
- Nearly 40% of all apps request dangerous location-related permissions, with precise location requested slightly more often (38.4% of all apps) than approximate location (37.2%).
- 55.2%, more than half, of the examined apps share permissions with advertisers.
- The apps that share permissions with advertisers use an average of 2.1 ad libraries (sharing permissions with 3 companies including the app developer).
- More popular apps tend to have higher privacy risk scores, with the most-downloaded apps having the highest score on average (54% higher than all apps), and the least-downloaded apps have the lowest (36.8% lower than the average).
- 84% of all the examined New Year’s resolution apps request at least one dangerous permission.
‘Privacy risk score’ explained
To help quantify which New Year’s resolution apps and app categories are more private than others, we gave them “privacy risk” scores. We assigned these scores based on the number and risk level of permissions requested2, as well as the number of advertisers they shared permissions with.
First, each app was given 1 – 3 points per permission requested, based on the risk level:
- 1 point was given for each permission with a normal protection level. Permissions in the normal range are described as posing minimal risk to other applications, the system, and the user.
- 2 points were given for each permission of the signature and signatureOrSystem protection levels. Signature permissions are described as non-dangerous, although they require fulfilling certain criteria before being granted.
- 3 points were given to each permission with a dangerous protection level. Dangerous permissions are described as higher risk, giving the requesting application access to private user data or control over the device.
Finally, we multiplied the total permission score for each app by the number of ad networks the app shares these permissions with plus one (to account for the total number of entities permissions are shared with). See “Ad Libraries,” below for more information on this.
New Year’s resolution app categories ranked
Based on these criteria, we ranked the 16 New Year’s resolution categories from worst to best. The higher the privacy risk score, the riskier it is to download an app from this category. If you see your New Year’s resolution at the top of the list, approach with caution!
Every year, around 20% of people make a resolution to lose weight3. Unfortunately for them, apps geared toward weight loss turned out to be the worst when it comes to privacy. This category has a privacy risk score of 56.2, putting it strongly in the “lead”, with a score nearly 50% higher than the average.
Not too far behind are the Decorating/renovating home, Exercising more, and Spending less time on social media categories, each with just over 30% higher scores than the average.
Conversely, the Quitting smoking resolution category has the lowest privacy risk score at 23.3, making quitting nicotine the best resolution to track via app this New Year. Reducing/stopping drinking and Charity/donating apps also perform well in terms of privacy. All three categories score around 40% lower than average.
While a privacy risk score can help you determine whether a New Year’s resolution app is worth downloading, a closer look at the components of this score provides a much clearer picture of the actual impact apps may have on your data privacy.
All of the apps we examined request permissions, with 84% requesting at least one dangerous permission. For example, 74.4% requested permission to read the contents of your USB storage. And going one step further, 66.3% actually requested permission to modify or delete the contents of your USB storage.
These aren’t the only, or even the worst permissions your New Year’s resolution apps may ask for, however. Here are the most commonly requested permissions by category:
Some permissions classed as “normal” are granted automatically at installation and could be easily overlooked by the user. All 5 of the most-requested permissions, which at least 75% of all apps request, are among them.
This includes full network access, which 99.7% of the apps we looked at requested, and view network connections, which 98% requested.
After permissions to read and modify or delete the contents of your USB, the next two most-requested dangerous permissions are location-related. Interestingly, precise location, which is arguably the worse of the two, is requested slightly more often (38.4% of all apps) than approximate location (37.2%).
Just by glancing over the above chart, three categories immediately stand out as the worst. The Volunteering, Losing weight, and Decorating/renovating home categories all request at least one dangerous permission.
However, while the Losing weight and Decorating/renovating home categories are among the least private, the Volunteering category is actually one of the most private, with its overall score 31% lower than the average for all apps.
Meanwhile, around 6 out of 10 of the examined apps in both the Quitting smoking and Reducing stress categories request dangerous permissions. But similarly, while Quitting smoking is one of the most private categories, Reducing stress is among the least private, with its overall score 14% higher than the overall average.
Out of the 86 possible permissions we looked at, the New Year’s resolution apps we examined request an average of 10.7.
The two resolution categories that stand out request both the most overall permissions and the most dangerous ones. Apps of the Traveling more category request 5 more permissions and around 3 more dangerous permissions than average. Apps of the Exercising more category request around 4 more permissions and 1 more dangerous permission than average.
Unsurprisingly, neither of these New Year’s resolution categories perform well in terms of privacy. Both have among the highest overall privacy risk scores. However, Traveling more and Exercising more both have better privacy risk scores than Losing weight. This is where ad libraries come in.
On the other end of the spectrum, apps of the Quitting smoking resolution category request the fewest permissions (3 fewer than average) and the least dangerous permissions (around 2 fewer than average). Again, unsurprisingly, this category has the lowest overall score.
However, this pattern isn’t observed across all categories. For example, apps of the Reducing stress category request around 2 fewer permissions and dangerous permissions than average, yet have an overall score 14.1% higher than average.
While the number of dangerous permissions these apps request is significant, it isn’t the biggest indicator of risk to your data privacy.
The discrepancies between the number of permissions or dangerous permissions requested and the overall privacy risk scores of some of the New Year’s resolution apps we looked at can be explained by the number of ad libraries they use. Or in other words, the number of advertisers the apps share permissions with.
Ad libraries are Advertisement Software Development Kits (SDKs) that developers can build into their apps. These SDKs serve ads to help developers monetize their apps. While this may seem harmless enough on its own, ad libraries can be potentially dangerous.
The trouble lies in how permissions are shared between ad libraries and their host apps. Ad libraries automatically have access to any permissions the host app has. This means that if the app has permission to record audio on your device, for example, any ad libraries (and subsequent ad networks) can do the same.
This is why the privacy risk score is multiplied by the number of ad libraries an app uses plus one. Granting a permission to one app that has four ad libraries built into it is the same as granting that permission to five different entities (the app developer and each ad library).
Ad libraries per category
Over half (55.2%) of the New Year’s resolution apps we examined apps use ad libraries. Of those, 6 out of 10 use only one ad library while the remainder use 2 or more, with an overall average of 2.1.
The New Year’s resolution categories that use the most ad libraries are Decorating/renovating home and Reducing stress resolution, at over 2 more ad libraries than average, despite the Reducing stress category not requesting many permissions, dangerous or otherwise.
The best categories, using the fewest ad libraries, are Improving career, Traveling more, and Moving and relocating, with an average below 1.
Here, we see another discrepancy as apps in the Traveling more category have one of the highest (26.4% higher than average) privacy risk scores, despite using few ad libraries. This is due to the high number of permissions and dangerous permissions these apps request.
Similarly, the Losing weight category has the highest overall privacy risk score, yet requests slightly fewer ad libraries than average. Again, this comes down to the number of permissions, both dangerous and otherwise, that these apps request.
Keeping in line with the findings from our previous studies, popularity goes hand in hand with increased risk to data privacy. The more popular an app is, the higher overall score it tends to have.
This could be explained by the fact that they are twice as likely to use ad libraries4, greatly increasing their privacy risk score.
Apps with the most downloads have the highest score on average (54% higher than all apps) and apps with the least downloads have the lowest (36.8% lower than the average).
In fact, the most popular group of apps have an average privacy risk score that’s twice as high as the least popular group. They also request 5 more permissions and 2 more dangerous permissions and use one more ad library on average.
Choosing a New Year’s resolution app
If you’re planning on downloading an app to help you keep track of your New Year’s resolution, we recommend caution.
- Choose an app with a lower privacy risk score.
- Stay away from popular apps with 500k or more downloads.
- Consider the categories. If choosing from a high privacy risk category, check the data safety section of the app in the Google Play store.
Here are our recommendations for each category:
We analyzed 344 New Year’s resolution apps from the Google Play store. We gathered the sample of apps by taking the top apps for 16 search terms, each relating to a common New Year’s resolution.
Each app was then assigned a privacy risk score, which was calculated based on how many permissions it requests, the protection level of each requested permission, and the number of ad libraries used by the app.
- 1 point was given for each permission with a normal protection level.
- 2 points were given for each permission of the signature and signatureOrSystem protection levels.
- 3 points were given to each permission with a dangerous protection level.
Therefore, the higher the privacy risk score, the less private the app.
The permission data, including the permission names and quantities, were collected from Google Play. The permission protection level data, including dangerous, normal, signature, and signatureOrSystem permissions, were taken from the official Android Developers’ documentation.
If a permission or its protection level couldn’t be found there, three other sources (listed below) were used to get this information. Ad library data was taken from AppBrain.
Permission protection level (main):
Android Developers. “Manifest.permission”. Reference. Last modified November 10, 2022. https://developer.android.com/reference/android/Manifest.permission
Permission protection level (alternative):
IzzyOnDroid. “Permissions.” App Lists. Last modified August 18, 2022. https://android.izzysoft.de/applists/perms?lang=en
Permission protection level (alternative):
nowsecure. “Aosp_permissions_api18.py” androguard. Last commit September 14, 2015. https://github.com/nowsecure/androguard/blob/master/androguard/core/api_specific_resources/aosp_permissions/aosp_permissions_api18.py
Permission protection level (alternative):
Yi, Bill “blob: ce474c20da824d4a9f2e0f764e81b5ca76135729.” AndroidManifest.xml. Accessed December 28, 2022. https://android.googlesource.com/platform/packages/providers/TvProvider/+/refs/heads/master/AndroidManifest.xml
Permission protection level descriptions:
Android Developers. “<Permission>”. Guides. Last modified April 29, 2022. https://developer.android.com/guide/topics/manifest/permission-element
- Discover Happy Habits. “New Year’s Resolution Statistics (2022 Updated).” Goal Setting. Last modified August 22, 2022. https://discoverhappyhabits.com/new-years-resolution-statistics/.
- Android Developers. “<Permission>”. Guides. Last modified April 29, 2022. https://developer.android.com/guide/topics/manifest/permission-element.
- Statista Research Department. “New Year’s Resolutions of Americans for 2022.” Personality & Behavior. Last modified November 15, 2022. https://www.statista.com/statistics/378105/new-years-resolution/.
- Han, Catherine, Irwin Reyes, Amit Elazari Bar On, Joel Reardon, Álvaro Feal, Kenneth A. Bamberger, Serge Egelman, and Narseo Vallina-Rodriguez. “Do You Get What You Pay For? Comparing The Privacy Behaviors of Free vs. Paid Apps.” Workshop on Technology and Consumer Protection (ConPro ’19). May 23, 2019. https://www.ieee-security.org/TC/SPW2019/ConPro/papers/han-conpro19.pdf.