Experts at consumer champion\u00a0Which? investigated 20 popular apps across social media, online shopping, fitness and smart home categories.\u00a0<\/p>\n
They found all of them ask for ‘risky’ permissions such as access to your location, microphone, and files on your device \u2013 even when they don’t need to.\u00a0<\/p>\n
The experts urge people to be more careful about what exactly we agree to when we download an app and mindlessly agree to permissions.\u00a0<\/p>\n
We could be compromising our privacy when we hastily tap ‘agree’.\u00a0<\/p>\n
‘Millions of us rely on apps each day to help with everything from keeping on top of our health and fitness to doing online shopping,’ said Harry Rose, editor of Which?<\/p>\n
‘While many of these apps appear to be free to use, our research has shown how users are in fact paying with their data \u2013 often in scarily vast quantities.’\u00a0\u00a0<\/p>\n
![\"Among](\"https:\/\/www.newsbeep.com\/uk\/wp-content\/uploads\/2025\/07\/100494917-14925333-image-a-18_1753112837389.jpg\")
<\/p>\n
Among social media apps, Facebook, owned by Meta, was arguably the most keen for user data – it wanted the highest number of permissions (69 in total, of which 6 are considered ‘risky’<\/p>\n
![\"WhatsApp,](\"https:\/\/www.newsbeep.com\/uk\/wp-content\/uploads\/2025\/07\/100492259-14925333-image-a-14_1753104086768.jpg\")
<\/p>\n
WhatsApp, also owned by Meta, wanted 66 permissions in total, six of which are considered risky)<\/p>\n
Which? researchers worked with experts at cybersecurity firm Hexiosec to assess the privacy and security features of 20 popular apps on an Android handset.\u00a0<\/p>\n
The list included some of the biggest names in social media (including WhatsApp, Facebook, Instagram, TikTok), online shopping (Amazon, AliExpress) the smart home (Samsung Smart Things,\u00a0Ring Doorbell) and fitness (Strava).\u00a0<\/p>\n
Combined, the 20 apps have been downloaded over 28 billion times worldwide \u2013 meaning the average UK adult is likely to have several of them on their phone at any given time.\u00a0<\/p>\n
If someone were to have all 20 downloaded on their device, collectively they would grant a staggering 882 permissions \u2013 potentially giving access to huge amounts of an individual\u2019s personal data.<\/p>\n
Overall, the team found Chinese app Xiaomi Home asked for a total of 91 permissions \u2013 more than any other app in the study \u2013 five of which are described as ‘risky’.\u00a0<\/p>\n
Risky permissions include\u00a0those that access your microphone, can read files on your device, or see your precise location (usually referred to as ‘fine location’).\u00a0<\/p>\n
Such data is a valuable commodity and may allow firms to target users with ‘uncannily accurate adverts’.\u00a0<\/p>\n
Samsung’s Smart Things app asked for 82 permissions (of which eight are risky), followed by Facebook (69 permissions, six risky) and WhatsApp (66 permissions, six risky).\u00a0<\/p>\n
![\"Meta's](\"https:\/\/www.newsbeep.com\/uk\/wp-content\/uploads\/2025\/07\/100492267-14925333-image-a-12_1753104053014.jpg\")
<\/p>\n
Meta’s photo-sharing app Instagram asked for a total of\u00a056 permissions, of which four are considered ‘risky’\u00a0<\/p>\n
![\"Overall,](\"https:\/\/www.newsbeep.com\/uk\/wp-content\/uploads\/2025\/07\/100492261-14925333-image-a-10_1753104038722.jpg\")
<\/p>\n
Overall, Xiaomi asked for a total of 91 permissions – more than any other app in the study – five of which described as ‘risky’<\/p>\n
How to improve your app privacy\u00a0\u00a0 Check privacy information: Review any data collection information on the app store listing, including the permissions an app will requestRead the privacy policy: You can find it either on the app store listing or company\u2019s website. If you don\u2019t want to read the whole thing then focus on the sections on data collection and sharingLimit or revoke permissions: In Apple iOS and Google Android, you can control what apps can access your data (tap Settings, and then Apps and Permissions to see what each app can access)Delete: If you aren\u2019t sure about an app, delete it – and make sure all your account data is deleted, too <!- – ad: https:\/\/mads.dailymail.co.uk\/v8\/us\/sciencetech\/none\/article\/other\/mpu_factbox.html?id=mpu_factbox_1 – -><\/p>\n
Advertisement<\/p>\n
Xiaomi Home was also one of two apps (alongside AliExpress) to send data to China, including to suspected advertising networks \u2013 although this was flagged in the privacy policy by both.<\/p>\n
Ali Express requested six risky permissions such as precise location, access to microphones and reading files on the device.\u00a0<\/p>\n
AliExpress also bombarded users with a deluge of marketing emails after download (30 over the course of a month) but the\u00a0researchers did not see any specific permission request from AliExpress to do so.\u00a0<\/p>\n
Temu, another Chinese-owned online marketplace, also gave a heavy push to sign up to email marketing \u2013 which many users could easily agree to without realising, the experts reasoned.\u00a0<\/p>\n
Among social media apps, Facebook was ‘the most keen for user data’ as it wanted the highest number of permissions (69 in total, six of which risky), followed by WhatsApp (66 altogether, six of which risky).\u00a0<\/p>\n
TikTok, meanwhile, asked for 41 permissions, including three risky ones, including the ability to record audio and view files on the device, while\u00a0YouTube asked for 47 permissions, four of which were ‘risky’.\u00a0<\/p>\n
Overall, 16 of the 20 apps requested a permission that allows apps to create windows on top of other apps \u2013 effectively creating pop-ups on your phone, even if you opted out of the app sending notifications.<\/p>\n
Seven also wanted a permission that allows an app to start operating when you open your phone even if you haven’t yet interacted with it.\u00a0<\/p>\n
![\"AliExpress](\"https:\/\/www.newsbeep.com\/uk\/wp-content\/uploads\/2025\/07\/100492263-14925333-AliExpress_was_also_one_of_two_apps_alongside_smart_device_app_X-m-15_17531089744.jpeg\")
<\/p>\n
AliExpress was also one of two apps (alongside smart device app Xiaomi) to send data to China, including to suspected advertising networks<\/p>\n
In some cases there are clear uses for risky permissions \u2013 for example the likes of WhatsApp or Ring Doorbell may need microphone access in order to carry out certain functions.<\/p>\n
But other examples the need for risky permissions was less clear cut, according to Which?<\/p>\n
For example, four apps \u2013 AliExpress, Facebook, WhatsApp and Strava \u2013 requested permission to see what other apps recently used or currently running.<\/p>\n
The researchers stress that the investigation was conducted on an Android phone and that permissions may vary on Apple iOS devices.\u00a0<\/p>\n
But we should all be more careful of tapping “yes” to permissions while mentally on ‘autopilot’ without really being aware of what we’re agreeing to, Mr Rose said.\u00a0<\/p>\n
‘Our research underscores why it\u2019s so important to check what you\u2019re agreeing to when you download a new app,’ he added.\u00a0<\/p>\n
![\"Samsung's](\"https:\/\/www.newsbeep.com\/uk\/wp-content\/uploads\/2025\/07\/100492265-14925333-Samsung_s_Smart_Things_app_asked_for_82_permissions_of_which_eig-a-32_17531059582.jpeg\")
<\/p>\n