Skip to main content

7 ways your apps put you at risk, and what you can do about it

seven ways apps put risk cant really 7 your you at
Image used with permission by copyright holder

By now, we’ve had it beaten into our heads that our phones and tablets are home to a wealth of personal info that can come back to haunt us. Sometimes we share it ourselves. But other times our mobile apps do it to us, by collecting, collating, selling, and sometimes broadcasting our activities and personal information. If there’s anything recent data breaches have taught us, it’s that once personal data gets out there, it can make us vulnerable forever.

According to Appthority’s latest App Reputation Report (registration required), sketchy apps aren’t the only problem. The report recently found that 83 percent of the top 100 paid and top 100 free apps on Android, and 91 percent on iOS had at least one risky behavior. With that in mind, here are seven broad ways many apps can compromise your privacy.

Recommended Videos

1. Unencrypted data

Probably the riskiest thing an app can do is collect data about you – your name, email address, phone number, home address, credit card info, and what-have-you – and just leave it unencrypted, wide open for anyone to see – a problem Facebook’s precious new WhatsApp had some years ago.

There’s almost no way to determine if an app is adequately securing the data it saves or transmits.

Consider the Starbucks app for iOS, on of the most-used commerce apps, which was recently discovered to store passwords in clear text – not good. Or The Coupons App, which claims more than 10 million users? The Android version transmitted personal information (including location) in plain text over the Internet every time someone used the app or searched for a coupon. Both apps have been updated, but how long did those problems go undetected? And these are just two high-profile apps that got caught last month.

What can you do? Unless you have both the expertise and the time to monitor your apps’ data transmission and storage (few people do), there’s almost no way to determine if an app is adequately securing the data it saves or transmits. Reassuring, huh?

2. Location, location, location

iphone ios 7 location servicesSome apps need to know your location, like a mapping app trying to give you directions. But does a free game or a recipes app need to know your location? Probably not. To advertisers, your location is one of the most valuable things on your phone, so many apps grab it solely to pass along to advertisers. Some people are comfortable with that; other people aren’t. Either way, users have no idea how developers and ad networks are using, profiling, sharing, and selling that location data.

What can you do? In both iOS and Android, apps that want your location must get your permission via a pop-up. Unfortunately, it’s usually an all-or-nothing decision: agree, or don’t use the app.

3. Ads, ads, ads

How can ads be risky? The most obvious way is the detailed profiles advertisers build up on individuals – profiles that often follow us from place to place and device to device. Who knows how that information is being used, sold, and traded?

Reseting your advertising identifier is like telling ad networks you’re a brand new person.

There are other risks, too. Most online ads come from ad networks that supply code that app makers use to insert ads into their apps. Sometimes that code is very robust, but sometimes ad providers are shady, don’t do a very good job – or get hacked. For instance, the “Vulna” ad library, which collected personal information about users, could be used to attack Android devices. Researchers estimated apps with Vulna had been downloaded more than 200 million times. It’s supposedly fixed now, but that doesn’t make us any less nervous.

What can you do? Obviously, you can use only apps without advertising – those usually cost money. Also, iOS 7 users can “Limit Ad Tracking” in Settings > Privacy > Advertising > “Reset Advertising Identifier” – it’s like telling ad networks you’re a brand new person. There are no real equivalents for Android: Google doesn’t even allow ad-blockers in Google Play. It’s also a good idea to block third-party and advertising cookies in your mobile browser settings.

4. Single sign-on

Do you use your Twitter, Facebook, or Google+ account to sign in to apps and sites? Single sign-in makes it easier to share, like, and +1 good content, but if your social media account is compromised (it happens), all those sites and apps are vulnerable too. Moreover, sites and apps can implement single sign-on badly, giving attackers an opportunity to take over accounts. (That happens too.)

What can you do? Single sign-on is convenient, but risky. If you’re going to use it, we recommend only doing so with apps or sites where you have a high degree of trust.

5. Address books and calendars

iphone ios 7 privacyLike location, calendar and address books are a goldmine for advertisers. So lots of apps want to access your contacts and calendars whether they need them or not, purely for analyzing that info and sharing it/selling it to advertisers. Consider that Appthority found 22 percent of the top 100 paid apps access the address book, but 31 percent of free apps do the same thing. And as mentioned, even if you don’t care about advertisers knowing your particulars, not all apps or ad networks handle the information safely.

What you can do: Access to calendars and address books is an app permission. In iOS 6 and higher you can try revoking it in Settings > Privacy. Unfortunately, there’s no built-in way for Android users to control permissions once an app is installed: if you don’t think an app needs your contacts and calendars, don’t give it permission.

6. In-app purchases

Many apps – especially games – are available for free, but make money via in-app purchases that add features, content, or help you level up faster. The risk of in-app purchases is obvious: it’s your money! The Internet is replete with tales of children racking up enormous bills by in-app purchases in games (Apple just settled with the FTC for $32.5 million over this very problem). Even some adults are guilty of going nuts with in-app purchases.

What can you do: In-app purchases can be turned off in iOS (you can find the setting in Settings > General > Restrictions, “Enable Restrictions”). Android is trickier, but you can set a PIN to confirm in-app purchases in settings for the Google Play app: find User Controls and set a PIN.

7. Unique Identifiers

One of the ways advertisers and others have tracked mobile users is with unique device identifiers (UDIDs): numbers that are unique to a particular device. Since most mobile devices are used nearly-exclusively by one person, UDIDs became a great way to track people: combine that with location data, and it’s an advertiser’s paradise. And if those UDIDs are compromised (it happens) or mismanaged (that happens too), there’s no way change them. 

Combine unique identifiers with location data, and it’s an advertiser’s paradise.

Apple warned iOS developers to stop using UDIDs back in 2012 (after a million UDIDs leaked), and no longer accepts apps that try to access it, However, Appthority says more than a quarter of the most popular iOS apps are still using UDIDs to track users. On Android, the numbers are a little scarier: 55 percent of paid apps and 87 percent of free apps used UDIDs to track people. And all free Android games use UDIDs. Yikes.

What you can do: With iOS 7 Apple requires apps use another number (IDFA, or ID for Advertisers) to track users. iOS users can change it anytime in Settings > Privacy > Advertising to make advertisers lose track of a device. (Of course, they’ll just start tracking you again.) Apple is also reportedly cracking down on apps that use IDFA for any purpose other than serving ads. Google is trying something similar with Google AdID, but the diversity of the Android ecosystem makes things complicated. Bottom line: performing a factory reset of a device might change its UDID.

Awareness is the best defense

Most of us have clicked through permissions popups while installing an app thinking “Yeah, whatever, I’m sure it’s fine, just get on with it already!” And it’s understandable. But it’s important to remember that even the most innocuous-seeming apps can carry risks.

The best defense is awareness and dilligence. Make a habit of scanning permissions used by apps and deciding whether they make sense. If they seem intrusive, sometimes moving from a free and a paid app can solve the problem. If an app makes you uncomfortable, remove it. And if an app promising pictures of cats with funny captions demands location data … well, maybe you don’t need that app at all.

Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
You can now send higher-quality photos in RCS Google Messages chats. Here’s how
Google Messages app on a Pixel 8 Pro, showing an RCS Chat message thread.

Google Messages is one of the most popular messaging platforms on the planet — so popular, in fact, that companies like Samsung and Verizon are doing away with their in-house messaging apps in favor of it. More than 1 billion users engage with Google Messages monthly, and a large part of the experience is RCS. We've been eagerly looking forward to the introduction of quality control when sending photos, a feature first spotted earlier this month.

Now, Google Messages has begun rolling out the "original quality" media-sharing feature, as noted by Android Authority. For now, it's only available in the beta, but that's a firm sign that all users will be receiving it shortly.

Read more
The best Android tablets in 2024: the 7 best ones you can buy
OnePlus Pad with official Stylo pencil stylus on a wooden table.

Tablets may not be the hot new thing in 2024, but they're still excellent machines for streaming movies, playing games, or getting work done on the go. And while it seems like the best iPads dominate most of the tablet market, there are still plenty of excellent Android tablet options to consider if you don't want to be locked in Apple's walled garden.

Whether you want an ultra-premium and superpowerful option, or something more affordable and compact, the Android tablet market has something for everyone. No matter your budget or spec preferences, here are the best Android tablets you can buy in 2024.

Read more
The best folding phones in 2024: the 6 best you can buy
Someone opening the Samsung Galaxy Z Fold 5.

Folding smartphones are a fairly mature market in 2024. When they first launched, foldables were futuristic and exciting, albeit buggy. With time, they have been refined and improved to cater to everyday use. Their prices are gradually decreasing as the technology advances, but they still remain expensive purchases, making it crucial to make the right buying decision.

Currently, there are two types of folding smartphones available on the market. The first type resembles a regular non-folding phone, but can be unfolded into a larger tablet-like device. The second type is similar to the classic Motorola Razr clamshell phones, where a normal-sized phone can be folded in half to become more compact and pocketable. Although both use the same screen and hinge technology, they cater to different needs.

Read more