In this day and age, most of us already know apps collect our data. But the convenience—whether they make our day jobs easier, let us connect with our friends and peers, or simply give us a break from our hectic lives—keeps us downloading more and more apps on our devices. The question is: at what cost, exactly?
Incogni, a data removal company, took a deep dive into the new Google Play Store data safety section to uncover how much data apps share and what kind of security practices developers use to protect the personal information of their users. Spoiler alert – more than half of the apps openly share user data and even more collect and “transfer” your data.
Which Google Play apps share the most data?
Data is the “new oil” of the digital world – there is a $250B+ industry thriving on data trade. So it’s no surprise that data harvesting and sharing is so commonplace on the internet, whether it’s by the browser you use, websites you visit, or the apps you download.
It turns out that 55.2% of the apps in the study openly admit to sharing your data. Among those, Incogni identified certain tendencies regarding which apps share more than others:
The study revealed that shopping, business, and food & drink were among the app categories that share the most user data.
Even more interesting was the fact that, between the 500 free and 500 paid Google Play apps that Incogni analyzed, free apps shared 7 times more data than paid ones. Popular apps, with more than 500,000 downloads, also shared 6.15 times more data than less popular apps.
The fact that free apps are downloaded around 400 times more often than paid apps is likely to play a role here. But, overall, these findings support the idea that users pay for “free” apps with their personal data.
So, what kind of data do apps share?
While it may be common knowledge that apps share data, the average app user might not realize how much sensitive information that data includes. Many might assume data like crash logs, app interactions, or purchase history might be used for marketing and service improvement, and it is. But the reality goes far beyond that.
Incogni compiled a list of the most commonly shared data points and the percentage of the apps they analyzed that share them. They found that some apps openly share highly sensitive information such as:
Approximate location history (13.4%)
Email addresses (6.77%)
Home addresses (3.85%)
Precise location (3.85%)
In-app messages (1.85%)
Sexual orientation (0.62%)
Files and docs (1.54%)
SMS or MMS (0.46%)
Race and ethnicity (0.15%)
Religious and political beliefs (0.15%)
What does ‘sharing’ mean?
It’s important to note what Google means by “sharing.” Their definition of data sharing excludes the transfer of data to service providers, for legal reasons, or of anonymous data.
This means that the highly sensitive data points listed above are being shared with third parties which may include marketers and data brokers that sell your personal information for profit.
Anything that does not fall under Google’s strict definition of data sharing is referred to as data transfer. And while sharing your information to service providers can even be useful, anonymized data can also be transferred to anyone without your knowledge.
This might not sound too alarming to some. The data is anonymous, after all. However, with as little as 15 data points, researchers have found that anonymized data can be correctly re-identified 99.98% of the time, suggesting that more of your personal information is really “shared” than app developers are willing to disclose.
Which Google Play apps collect the most data?
A lot more apps collect data than those that admit to sharing it. Social media apps (surprise, surprise) and business apps turned out to be the worst offenders.
Interestingly, some of the apps that collect the most data were among those that declared sharing the least – raising questions about transparency.
Meta apps in particular, such as Facebook, Messenger, and Instagram turned out to be collecting the most user data. These apps know almost everything about their users, collecting 36 out of 37 possible data points, well above the 15 required to re-identify anonymized data. Yet, they declare sharing only 4 data points.
Not only do these social media apps know every little thing about you, but there is also a good chance that this information makes its way far and wide online. So intimate details from your life such as private messages, online browsing habits, and even secrets may be exposed.
The invasion of privacy is a huge concern for many people. But the sharing and transfer of data can also expose users to serious security risks.
In December 2021, a popular mobile payment service called Cash App experienced a data breach that leaked personal information belonging to 8.2 million users. This data, in the hands of criminals, can be used to target consumers with scams, phishing, identity theft, and even blackmail or extortion.
With such serious threats hanging over their heads, users expect apps to take the proper security precautions to protect their personal data. Incogni found that this isn’t always the case. Almost none (0.8%) of the apps have gone through any type of independent security review.
4.9% of the apps admitted, outright, that they do not encrypt your personal data in transit at all. This is alarming enough on its own, but even worse is that more than half of the apps have made no claim to encrypt data in transit. Unfortunately, for users, this could mean that many (if not most) of these apps don’t use encryption to protect their data.
Consumers need to exercise a lot of discretion when deciding which Google Play Store apps to download. While the new data safety section is a step towards empowering users in this pursuit, it still doesn’t appear to be totally transparent.
Many app developers capitalize on valuable user data while shirking the responsibility of protecting it. And while data privacy laws like California’s CCPA protect consumers by forcing companies to declare data sharing practices, it’s still up to users to read the fine print and uncover how much of their personal information is really being exposed (answer: a lot).