A new investigation has revealed that many widely used smartphone apps — including Facebook, Instagram, and WhatsApp — routinely request access to sensitive user data, often without clear justification.
by the UK consumer group Which? in collaboration with cybersecurity firm HeXiosec, the study examined nearly 20 popular Android apps spanning social media, shopping, fitness, and smart home categories, according to news reports.
The analysis found that every app tested requested permissions that could compromise user privacy—such as access to location data, microphones, and personal files—regardless of whether those features were essential to the app’s primary function.
“Millions of people rely on these apps daily, often unaware that they’re exchanging personal data for free services,” said Which? editor Harry Rose.
Categories and Key Apps Reviewed — Social Media: Facebook, Instagram, WhatsApp, TikTok, YouTube; Shopping: Amazon, AliExpress, Shein, Temu, Vinted; Health/Fitness: Calm, Strava, Flo, Impulse, MyFitnessPal; Smart Devices: Xiaomi Mi Home, Samsung SmartThings, Bosch Home Connect, Ring, Tuya Smart Life
Major findings show these apps have been downloaded over 28 billion times globally. Each app requested an average of 882 permissions, many with potential privacy implications.
Top permission requests — Xiaomi Mi Home: 91 (including 5 considered high-risk); Samsung SmartThings: 82; Facebook: 69; WhatsApp: 66
Some apps were found to transmit user data to servers in China, including networks linked to advertising, despite their privacy policies not fully disclosing this practice. AliExpress, in particular, was noted for sending promotional messages without clearly obtaining user consent.
Apps like TikTok and YouTube requested fewer permissions overall but still sought access to sensitive features like audio recording and file reading. Many apps also had the ability to auto-launch or display pop-ups over other apps, which could expose users to further privacy and security risks.
While certain permissions were explained—such as microphone use for WhatsApp calls or Ring Doorbell features—others, like access to data about users’ other installed apps, lacked clear purpose.
Experts urge users to carefully review app permissions before downloading or updating any software. Although this investigation focused on Android apps, permission structures may vary on iOS and other platforms.
Meta, Samsung, TikTok, Amazon, AliExpress, and Ring responded, stating they comply with privacy laws and are committed to protecting user data.
The findings reinforce growing concerns about digital privacy and the hidden cost of convenience in modern app ecosystems.
