Most apps don’t steal your data. That would be bad for business. Instead, they ask politely, wrap the request in friendly language, and wait for you to tap “Allow” mindlessly. After that, they don’t just get what they asked for. Most of the time, it’s far more than you assumed, and it gets reused in ways you never agreed to.
Here’s what they access and the surprising things they do behind the scenes.
1. Track your offline purchases
Many apps you use, especially shopping and e-commerce platforms, can access your location, shopping habits, and payment information. This data is often merged with data from third-party analytics platforms, which gather information from countless sources. Combine that with a decent enough algorithm, and you can now know everything from offline purchases, spending power, taste, and even when someone is pregnant.
In 2012, Target used its own shopping data to create a “pregnancy prediction” score (Wikipedia). The system was so accurate that, in one case, Target sent a maternity-related coupon to a teenager before her father knew she was pregnant. They only used their own data in this instance. Now imagine how much more a company could know if it added information from other retailers, credit card networks, or loyalty programs to the mix.
Another case involves Meta, which historically purchased offline consumer data from data brokers like Acxiom, Epsilon, Experian, and Oracle Data Cloud. These brokers collect information from store loyalty programs, credit card transactions, and other sources, then sell it to companies like Facebook, which is then used to improve ad targeting. So, if you ever thought the ads were way too accurate, now you know why.
2. Access your calendar and appointments
Apps that have access to your calendar and appointments often claim they use it to schedule events and send reminders. But that’s half the truth; that data gets used to build a detailed picture of your routine, your priorities, and even personal relationships. Even if an event looks generic, algorithms can spot patterns like how often you meet certain people, when you travel, and when your working hours are. These apps then sell all that information to data brokers to profit from.
3. Collect your device fingerprint
Device fingerprinting is a combination of information about your device, which includes your operating system, browser type, screen size, installed fonts, settings, and many other hardware configurations. While all this doesn’t sound that bad, when you combine these data points, you can uniquely identify your device without needing any name or email.
Studies have shown that about 80–90% of browsers/devices have unique fingerprints. So even if you don’t share your name or email, your activity can easily be tracked across websites and apps simply by a combination of settings and hardware details. (Cornell)
4. Use camera to monitor activity or capture images
Most apps ask for camera access for obvious reasons like taking photos, scanning documents, or joining video calls. But once that permission is granted, the app can use the camera in the background without you knowing. These apps can take pictures, analyze visual data, and check if the camera is on, all behind the scenes.
In 2019, users found out that Facebook was activating the iPhone camera while people were scrolling through their feed, even when they were not taking photos. Facebook later stated that this was a software bug, but who knows what it was. It was at least enough to give us an imagination of what can be done if someone wanted to. Link
5. Record ambient sounds using microphone
Microphones are also used in a similar manner to that of the camera. In 2019, a Belgian investigation found out that 153 out of 1,000 leaked Google assistant recording were captured without an intentional wake word. These recordings included arguments, bedroom conversations, professional phone calls with sensitive information, and even personal details, which journalists were able to use to identify and contact the individuals involved. (Source: Wikipedia)
6. Analyze speech patterns for emotional or biometric insights
Every audio recording includes pitch, tone, speed, and pauses, which these platforms study to detect your stress level, emotional state, and personality traits. When you combine this with other data like location or app usage, you can get extremely granular and predict how you might respond to specific content or offers.
Research has shown that modern AI systems can identify emotions with up to 90% accuracy with voice alone, simply by analyzing how you speak. (Cornell)
7. Capture clipboard content, including passwords or crypto addresses
Most of the time, clipboards have nothing interesting, but a single wrong action is all it takes. When Apple introduced clipboard access alerts in iOS 14, almost every app was found to be reading the clipboard in the background. While having this access made public has stopped many major players from behaving as freely as before, the risk still exists.
In one of the earliest known clipboard hijacking campaigns, CryptoShuffler monitored clipboard activity on Windows machines and replaced copied Bitcoin addresses with attacker-controlled ones. It is estimated that by doing this, attackers stole over 23 BTC simply by waiting for users to paste wallet addresses.
Read more on it here.
