Sharing is NOT caring: Android apps that can’t get enough of you
Taking inspiration from Apple’s “privacy labels”, Google first announced the introduction of its new data safety section back in 2021. Finally, since July 20, 2022, all developers have to declare how they collect and handle user data for the apps they publish on Google Play, as well as provide details about how they protect this data through security practices like encryption.
With that in mind, we did a deep dive into the privacy and security practices of the top 1,000 paid and unpaid apps available on the Google Play Store. Here is what we found:
Key findings
- 1 in 2 apps (55.2%) share your data with third parties.
- Tech giants collect the most data but claim to share the least.
- Free apps share, on average, 7 times more data points than paid apps.
- Popular apps with more than 500,000 downloads share, on average, 6.15 times more data points than less popular apps.
- The worst category in terms of data-sharing is “shopping,” where apps share an average of 5.72 data points.
- Social media apps collect the most data, with 19.18 data points collected on average.
- 13.4% of apps share your location with third parties.
Ranking of the top 10 apps collecting the most data
Interestingly, Meta apps such as Facebook, Facebook Lite, Messenger Lite, Messenger, and Instagram collect the most information about you while declaring to share very little. By their own admission, they share only 4 data points but actually collect 36 out of 37 data points – almost everything there is to know about you.
10 Google Play categories that collect the most data
Surprisingly for some, social media apps aren’t even in the top 5 categories that share the most data. However, when it comes to collecting data, they are the worst offenders, with 19.18 data points collected on average.
Social media is followed very closely by business, which also collect on average 18 data points.
Apps sharing the most data with third parties
According to a study conducted by the University of Oxford back in 2018, apps share your data with 10 companies on average. And as of Jul 21, 2022, 1 in every 2 apps (55.2%) in the Google Play Store shares your data with third parties.
Of the remaining 44.8% not sharing your data, more than two-thirds (69.77%) are paid apps. Free apps share an average of 7 times more data points than paid ones, while popular apps (with more than 500,000 downloads) share, on average, 6.15 times more data points than less popular apps. This may be because free apps are downloaded 400 times more often than paid apps on average. Altogether, this data seems to confirm the common belief that free apps aren’t really free: you pay with your data.
Let’s look at how data sharing is distributed across different categories of apps.
The worst category is “shopping,” where, on average, apps share 5.72 data points per app. The category “house & home” was excluded because it contained only one app (which shares 8 data points).
When it comes to the kinds of user data apps on Google Play share, the largest contributions come from app interactions, crash logs, and diagnostics. However, a significant number of apps share personally identifiable information such as names (4.77%), email addresses (6.77%), and home addresses (3.85%).
Even more concerning is that many apps share your location history: 13.4% of apps share your approximate location while 3.85% share your precise location.
As you can see in the table above, even apps marketed as safety and security tools share your precise location. Life360: Find Family & Friends is the most popular app in the list, with 100 million downloads, followed by TextNow: Call Text Unlimited and Smart Cleaner with 50 million downloads each.
Many internet users may not realize that some apps even share photos, videos, files and docs, personal messages, race or religious beliefs, and sexual orientation. The worst offenders in sharing this kind of sensitive information are Cast for Chromecast & TV Cast with 18 data points, followed by Door Dash – Dasher with 9, and Booking.com: Hotels and more with 8 data points.
Some of the most shared sensitive information includes email addresses, other financial information, and files and docs.
Can we trust the Google Play’s data safety section?
The data safety section is filled out by developers using an “honor system,” meaning they must make complete and accurate declarations in their app’s store listing.
Moreover, it’s important to consider what Google means by data “sharing.” According to Google’s own definition, sharing is the transfer of user data to any third party.
This can include transfer:
- To an off-device server,
- To another app,
- From webview opened through your app.
However, Google won’t disclose every type of data transfer. For example, any transfer made to a service provider or for legal purposes as well as the transfer of anonymous data won’t be explicitly stated in Google Play’s data safety section.
This doesn’t mean these types of data transfers are inconsequential and should be overlooked, though.
In fact, according to research conducted by the Imperial College London and Belgium’s Université Catholique de Louvain, it is possible to correctly re-identify 99.98% of anonymous data. This means that beyond the data sharing information provided by developers in the new Google Play safety section, there is a lot more identifiable data being transferred to third parties.
This makes us wonder whether Google Play security section can be fully trusted.
There is also a question of transparency. Despite being able to edit the data safety section since late April 2022, 35.07% of apps on the Google Play Store did not add any data safety labels until two weeks before the deadline (July 20th). Most apps developed by major corporations didn’t add the safety labels until the last two weeks.
This hesitancy to provide information about data collection and sharing could be explained by the headwind doing so may cause. On average, apps that did not add the safety labels were downloaded 2.2 times more often than apps that did. This may explain why several of the more popular apps did not add privacy labels until they were essentially forced to do so.
Several tech giants did not fill the data safety section until just before the deadline
Moreover, following the launch of the new data safety section for Android apps on the Play Store, Google removed the app permissions list from both the mobile app and the web.
However, after the backlash that this change provoked on Twitter, Google decided to retract that decision:
“We heard your feedback that you find the app permissions section in Google Play useful, and we’ve decided to reinstate it. The app permissions section will be back shortly,” Google’s Android developers team said in a Twitter post on July 21.
How safe is your data with these apps?
We also looked into the security measures the apps on the Google Play Store had in place. We found that 4.9% of apps admit to not encrypting data in transit. This makes your personal information vulnerable to data breaches.
While that may seem like a low percentage, less than half actually declare that the data is encrypted in transit, making it possible that the number of apps not encrypting your data could be much higher in reality.
Also worrying is the fact that we found only 13.1% of apps are committed to following the Play Families Policy. And as little as 0.8% went through an independent security review (these are all Google apps, except for Instacart: Grocery delivery and Uber Eats: Food Delivery).
If you don’t want these apps holding your data, deleting your personal information can also be a challenge: 10% of apps on Google Play declare outright that the personal data they collect cannot be deleted. And only 39% of apps actually provided a way for you to request data removal.
Should you be worried?
While the new data privacy labels Google introduced are meant to make the user experience safer, the numbers we have found are still worrying.
Many apps share and even sell your data to third parties such as marketing agencies, data brokers, and other businesses. Worse yet is that more than half of these apps might not be encrypting your data in transit, making the data highly susceptible to attackers if communications are intercepted.
Even transferring anonymous data – which is not considered “sharing” – can be ultimately harmful as it can be easily re-identified.
The risks involved in the proliferation of your personal information can be quite serious. Data sharing exposes users to dangers such as data breaches, identity theft, stalking, and online harassment. Many internet users can also find themselves victims of digital redlining, a phenomenon that is similar to profiling and discrimination in the real world.
Incogni
While you can’t trust companies to have your best interests at heart, there are still ways you can protect your data and privacy yourself.
- Avoid downloading unnecessary apps,
- Check the data safety section of every app you download,
- Input fake data whenever possible,
- Request apps to delete your data after you are done using the service.
If you can’t live without some of these apps, you can still mitigate the risks of having your data online. Many apps sell your data to data brokers who trade in personal information. Data brokers then sell your personal information to other third parties and even directly to cybercriminals.
While you can’t totally prevent these apps from collecting and sharing your data as long as you’re still using them, you can stop this information from circulating on the web. Remove your personal information from the internet and opt out from data brokers to stem the flow of your private data and reduce your risk of falling victim to scams.
Methodology
This study is based on Google Play’s data safety section, which was first introduced in April 2022 and fully enforced on July 20, 2022.
The data safety section is a way to help people understand what user data apps collect or share, as well as showcase apps’ key privacy and security practices. This information helps users make more informed choices when deciding which apps to install.
App developers independently declare how they collect and handle the data, which encompasses 37 different data points.
We’ve collected information on the top 1,000 apps (top 500 free apps and top 500 paid apps) according to AppFigures. We then analyzed the data in the “Data shared,” “Data collected,” and “Security practices” sections and ranked the apps from worst to best according to how many data points they collect and share.
Next steps
Android apps aren’t the only or even the worst offenders when it comes to your personal information getting into the wrong hands. Companies called data brokers specialize in gathering, compiling, and selling your information to anyone who’s willing to pay. Luckily, the presence of state data privacy laws means that you can opt out of each individual data broker, like Fast People Search, Fast Background Check, Nuwber, Innovis, Instantcheckmate, Clustrmaps, or WhitePages. Cybercriminals get their hands on your personal data and devise scams to get money or more valuable information from you, or both. Removing yourself from the internet is the nuclear option, but you need not go off-grid to make a real impact.