Black Friday deals or data steals: here’s how top shopping apps can access your data


With shopping season just around the corner, your favorite shopping apps might offer more than just Black Friday deals – some might also track your personal data.

Retailers' apps are crucial to shopping routines, with 74% of consumers worldwide using them while browsing for products. The market size of the shopping app industry is already approaching $4 trillion, with over half (52%) of adults worldwide having made a purchase through a mobile app.

However, the convenience of getting the best deals with one click might come at the price of your privacy. Once you install a shopping app, you'll be prompted to grant it various permissions to access your device. While some of these permissions are essential for the app to work, some may pose a risk to your private data.

ADVERTISEMENT

To find out more, we analyzed 71 of the world’s most popular shopping apps on the Google Play Store. We aimed to identify dangerous permissions and determine which ones are the most data-hungry.

How do we uncover dangerous permissions?

Dangerous permissions, also known as runtime permissions, give an app additional access to restricted user data or let it perform actions that could further affect the system and user data.

Ideally, app developers should request only the permissions necessary for the app's core functionality. However, Cybernews' previous research into popular airlines, travel planning apps, educational apps, and the top 50 Android apps showed that this is not always the case.

In our latest research, we tested shopping apps to determine whether they request any of the 40 dangerous permissions identified by Android, which could potentially compromise user privacy.

Access to data does not necessarily mean misuse of it, but there are always risks involved. For this reason, users should always exercise extreme caution regarding certain app permissions, as they may allow apps to access their device's communication features or personal information, such as their location, camera, files, or contacts.

Which shopping apps are the most hungry for dangerous permissions?

ADVERTISEMENT

The Tata Neu app, an all-in-one shopping and payments platform developed by the India-based Tata Group, is the ‘winner’ of this dubious honor, demanding 19 intrusive permissions from its users.

In second place is Taobao, an online shopping platform owned by China's Alibaba Group, which requests 18 dangerous permissions. Lazada, another shopping platform under the same group, follows closely in third place with 17 permissions.

All three apps have access to the user's location, camera, and microphone. They can also read contacts on the device, as well as access the calendar and files stored on the device.

The Tata Neu app can additionally read users' SMS messages and phone state, which include such sensitive information as the device's phone number, network status, network operator, IMEI codes, SIM card details, and information about the internet provider.

The app also asks for redundant and dangerous permission to access accounts on the device. This type of permission grants an app access to the user's accounts associated with the device. It means the app can retrieve a list of accounts registered on the device, such as those from Google, Meta, and Samsung.

On the other end of the scale, Wallapop, a Spanish marketplace, and Amazon India Shop request no dangerous permissions at all. In second place is JUMIA, a Nigerian market, with just one dangerous permission, followed by Action, a Dutch discount store chain, in third place, with two permissions.

Which dangerous permissions are requested most often?

Nearly all analyzed apps (67) ask users for permission to post notifications. Many apps use this permission. However, malicious or breached apps could abuse it to send unwanted ads, phishing links, or misinformation.

Most apps (63) also request permission to track users' precise location, enabling them to pinpoint a user's position within just a few meters or 10 feet. If abused, such permission could lead to tracking the user's precise location, leading to significant privacy violations.

The same number of tested apps (63) had access to the device's camera. Granting access permission enables apps to take photos, record videos, and conduct video calls. If abused, an app could potentially do this without user consent, compromising the user's privacy and security.

ADVERTISEMENT

Fifty-five apps request permission to read from and write to device storage. Access to a device’s storage is considered sensitive because it allows an app to modify data on external storage, like the SD card.

This can grant access to personal files, photos, videos, documents, and other private information. If misused by malicious actors, this permission could result in data loss and privacy breaches.

Thirty-eight apps are granted permission to record audio from your device's microphone. Access to the microphone might lead to unauthorized surveillance, capturing sensitive conversations and personal information if exploited. It might also be used for unconsented marketing.

Thirty-six apps ask for dangerous permission to read the phone state, allowing an app to identify the device and its user. If this information falls into the wrong hands, it could be exploited to intercept communications on the device.

Check what dangerous permissions a particular app requires here:

How do you revoke app permissions?

As sensitive permissions can pose risks to a user's privacy, Cybernews advises always reviewing permission requests before allowing access.

“Remember, you can always grant permissions later if you need a specific feature. Most users tend to grant all permissions automatically, but it’s safer to start with auto-reject and adjust on the go,” recommend Cybernews researchers.

Pay attention to permissions that seem unnecessary for the app's intended functionality. You can manage and revoke app permission on your device’s settings on the Android OS by navigating to “Application Manager” or “Apps.”

ADVERTISEMENT

If an app seems to be asking for too many permissions, it’s best to avoid using it. If the app is compromised, misusing these permissions could lead to harmful consequences for users.

One of the biggest risks is privacy invasion, as apps with excessive permissions can access sensitive information without proper consent.

Improperly handled permissions can also compromise data security, leaving user data vulnerable to unauthorized access, identity theft, or data breaches.