Your smartphone could be handing over far more personal information than you realise, and some of the most popular social media platforms— including WhatsApp, Facebook, YouTube, Instagram, TikTok, Amazon, and Strava – could be the reason why.
These hugely popular apps, with billions of users worldwide, are just a handful of the 20 mobile apps put through their paces in collaboration with cybersecurity firm Hexiosec.
Each app has its own set of permissions requests that pop up when you first download it. Common permissions can include access to your camera, microphone, location, contacts, or calendar. Many of these are completely legitimate — you'd struggle to send a voice note on WhatsApp without allowing the app to use your microphone — but some apps demand access to much more than you'd think necessary for its day-to-day use.
Each of the apps investigated by Which? had at least one "risky" permission, with the biggest offender being Samsung SmartThings, which topped the list with eight. The permissions identified as risky in the investigation could compromise your privacy by allowing bad actors to access and potentially steal your personal information.
GB News was handed the complete list of apps checked by the teams at Which? and Hexiosec, ranked by those with the most "risky" permissions. The full rundown is as follows:
Your social media habits could be particularly exposed, as Facebook deployed nine location tracking permissions- the highest number among social platforms tested - while also requiring the most personal details during account setup, including your full name, date of birth and gender.
There's nothing inherently scary about an app asking for permission to access the features built into your handset, like your microphone, location, contacts, storage, phone, and calendar.
These include:
However, if an app is found to be malicious, it can exploit your permissions to install malware, track your location for harmful use, access your camera and microphone to view/listen to you, steal personal information, or even control your device.
Even if it's not malware, it's possible that you don't want to hand over more data than necessary.
Based on findings from Which?, your location appears to be particularly coveted data, with 15 of the 20 examined apps requesting precise GPS tracking that can pinpoint you within five metres. By giving the apps on your phone these permissions, they're able to perform various functions.
GETTY IMAGES
|Facebook was among the many popular social media apps investigated by Which? and cybersecurity firm Hexiosec
In the investigation, the Chinese-made Xiaomi Home app, used to manage Xiaomi's smart home devices, topped the list of data-hungry applications, demanding 91 permissions from your device, with five classified as risky.
Samsung's SmartThings, used to connect and control multiple Samsung devices, wasn't far behind, requesting 82 permissions, including eight risky ones, whilst Facebook sought 69 permissions with six deemed risky.
Meta responded to the investigation by stating that none of its applications "run the microphone in the background or have any access to it without user involvement", emphasising that you must "explicitly approve" microphone access through your operating system.
Samsung acknowledged the importance of privacy, explaining that "SmartThings only uses the permissions needed for the app to function properly and deliver the best possible user experience."
WhatsApp, despite being primarily a messaging service, asked for 66 permissions, six of which were categorised as risky.
These findings suggest that even the most popular apps on your phone could be collecting far more data than necessary for their basic functions.
Which? Editor Harry Rose warned: "While many of these apps appear to be free to use, our research has shown how users are, in fact, paying with their data, often in scarily vast quantities."
Beyond these, you might be surprised by some of the more subtle requests your apps are making.
For instance, AliExpress, Facebook, WhatsApp, and Strava sought the ability to monitor which other apps you've recently opened or are currently using, a level of surveillance that Android previously blocked due to privacy concerns.
Other apps requested permission to display pop-up windows over other applications, meaning they could interrupt your phone usage even if you've disabled their notifications.
GETTY IMAGES
|Apps like Strava have potentially influenced users to "opt in" or "agree" to permissions by greying out the other options
The investigation also revealed different consent practices among health and fitness apps.
For example, Strava employed what researchers have called a "dubious design", featuring a bright orange "agree" button alongside a greyed-out "disagree" option, potentially steering you towards acceptance without full consideration.
To protect yourself from giving out more access than necessary, you can change your permission settings in your device's apps and permissions menu, where you can revoke access individually based on your preferences.
You can also examine privacy policies before downloading, delete unused applications to minimise risk, and check each app's internal privacy controls.