Which? investigation reveals how data hungry smartphone apps ask for shocking levels of access to your location, microphone and data

A new Which? investigation has revealed how apps installed by millions of UK users demand huge amounts of user data - including asking for sometimes unnecessary access to parts of your smartphone.

Which? researchers worked with experts at cybersecurity firm Hexiosec to assess the privacy and security features of 20 popular apps, including some of the biggest names in social media, shopping and health, such as WhatsApp, Facebook, YouTube, Instagram, TikTok, Amazon and Strava. 

Separately, the consumer champion also carried out a nationally representative survey of over 2,000 adults to assess what people consider most important when downloading and engaging with apps. 

Combined, the 20 apps Which? examined have been downloaded over 28 billion times worldwide. Their popularity is such that most UK consumers are likely to have at least a handful of these on their phones at any given time, and if a person were to have all 20 downloaded, they would grant a staggering 882 permissions - potentially giving access to huge amounts of an individual's personal data.

Of these 882 permissions, 78 are considered risky on an industry standard grading scale - including those that access your microphone, can read files on your device, or see your ‘fine' (precise) location. This data is a valuable commodity for advertisers, and it may be possible for firms to target users with uncannily accurate ads as a result. However, some apps specifically asked your consent before using these permissions, including risky permissions. 

Location is one of people's biggest privacy concerns according to Which?'s survey – two thirds (66%) would be concerned about an app collecting a phone's precise location (typically based on GPS location, accurate to within 5 metres), yet 15 out of 20 apps Which? tested wanted access to this. 

Additionally, 15 wanted access to files on the device, and 14 wanted permission to access the microphone. 

Some risky permissions related to more technical aspects of your phone, but nonetheless are potentially invasive. Sixteen of the 20 apps Which? tested requested a permission that allows apps to create windows on top of other apps - effectively creating pop-ups on your phone even if you opted out of the app sending notifications. 

Seven also wanted a permission that allows an app to start operating when you open your phone even if you haven't yet interacted with it.

While in some cases there are clear uses for ‘risky' permissions - for example the likes of WhatsApp or Ring Doorbell may need microphone access in order to carry out certain functions - in other examples the need for risky permissions was less clear cut. 

For example, four apps - AliExpress, Facebook, Strava and WhatsApp - requested permission to see what other apps you have recently used or are currently running, despite Android previously removing access to this over privacy concerns.

Bosch, meanwhile, requests users' precise location to detect water hardness in the local area, when arguably the general geographic area, known as ‘coarse location', might suffice. Bosch told Which? that water hardness can vary by street so a coarse location may not give the most accurate result, and this feature requires the user to opt-in first.

Which? also came across examples of apps asking for permission they claim not to use in the UK market. For example, AliExpress requested six risky permissions such as fine location, access to microphones and reading files on the device. However, it said fine location is not used in the UK market, and said two further risky permissions would only be used if 'necessary'.

As part of its tests, Which? also developed a bespoke framework to assess consent - a key component of data protection. This enabled researchers to give each app a score out of 10 for consent.

Of the four categories Which? looked at (shopping, social media, health & fitness, smart devices), health and fitness had the lowest overall score for consent, scoring just 5.6 out of 10. This was largely pulled down by brain training app Impulse (4/10) and running aid Strava (5/10). 

Impulse barely flagged any privacy information on sign up. Strava meanwhile used what researchers felt was a dubious design to nudge users to consent - the ‘agree' button was highlighted bright orange, while the ‘disagree' option was greyed out. 

Shopping apps meanwhile came in a close second from bottom, with an average consent score of just 5.9 out of 10, pulled down by AliExpress (4.5/10), and Temu (5/10).

Researchers noted some red flags when it came to using AliExpress, with the privacy policy information, in Which?'s view, easily missed during set up.

Separately, it also bombarded users with a deluge of marketing emails after download. The app sent a staggering 30 messages, at an average of one per day over the course of a month - the highest number of the 20 apps Which? examined. Worryingly, researchers did not see any specific permission request from AliExpress for marketing emails when they set the app up as a new customer. 

AliExpress was also one of two apps (alongside smart device app Xiaomi) to send data to China, including to suspected advertising networks - although this was flagged in the privacy policy.

Temu meanwhile gave a heavy push to sign up to email marketing - and researchers felt a user could easily agree without realising. Altogether it sent 23 marketing emails in 30 days - the second highest number on test. 

While social media (6.9/10) and smart device apps (7/10) performed better for consent on the whole, Which?'s tests nonetheless found no app was fully transparent in how it handled getting consent.

Among social media apps, Facebook was arguably the most keen for user data - it wanted the highest number of permissions (69 in total, of which 6 are considered risky), followed by stablemate WhatsApp (66 altogether, and 6 risky).

It was also the social media app with the highest number of trackers, placing nine in total. The majority were its own, along with Google Analytics and a mapping service. Facebook also requested the most data to set up an account, including first name, last name, birthday and gender. Which? asked what information is made public by default, but did not get a response. 

TikTok meanwhile asked for 41 permissions, including three risky ones - these included the ability to record audio and view files on the device.

Smart devices apps meanwhile were among the most data hungry of all the categories Which? looked at, with Xiaomi and Samsung asking for the highest numbers of permissions overall (91 and 82 permissions respectively).

Which? previously raised concerns about privacy with smart device apps last year, and has also been working with the Information Commissioner's Office (ICO), the UK's data protection regulator, on its new Code of Practice for how brands should handle data. 

Harry Rose, Editor of Which?, said:

“Millions of us rely on apps each day to help with everything from keeping on top of our health and fitness to doing online shopping. While many of these apps appear to be free to use, our research has shown how users are in fact paying with their data - often in scarily vast quantities.

“While it's easy to quickly skim a privacy policy and tick ‘yes' on autopilot, our research underscores why it's so important to check what you're agreeing to when you download a new app.”

-ENDS-

Notes to editors

• Which? has previously raised concerns about privacy and smart apps, read its previous investigation here and find out more about the ICO Code of Practice here.

Survey:

- Which? surveyed 2,132 adults in the UK in May 2025, of which 1,907 had downloaded an app in the last five years. Fieldwork was carried out online by Deltapoll and the data has been weighted to be representative of the UK population (aged 18+)

-In terms of what was most important to users when it came to app usage, 91% ranked privacy as the most important, ahead of usability (90%), speed/reliability (89%) and visual appeal (77%). 

- When Which? asked about levels of concern with sharing data with certain types of apps, social media had the highest (65%), followed by shopping/online marketplace apps (54%), smart device apps (51%), and banking apps (49%).

Testing:

• Which? researchers worked with experts at cybersecurity firm Hexiosec to assess the privacy and security features of 20 popular apps: Ali Express, Amazon, Bosch Home Connect, Calm, Facebook, Flo, Impulse, Instagram, MyFitnessPal, Ring Doorbell, Samsung Smartthings, Shein, Strava, Temu, TikTok, Tuya, WhatsApp, Vinted, Xiaomi, Youtube

• Testing conducted on Android in June 2025. Permissions may vary on Apple iOS devices.

• Risky permission designated based on industry-standard grading scale as those giving potentially invasive access to an aspect of your mobile device. 

• A Fine location is a precise location, usually using GPS. Record audio means access to your mobile device microphone. Files on Device refers to the Read_External_Storage permission

Table of risky permissions by app

How to improve your app privacy

• Check privacy information: We're all in a rush, but it's worth reviewing any data collection information on the app store listing, including the permissions an app will request. The Google Play store has this in a ‘Data Safety' section, while Apple's App Store has it in ‘App Privacy'.  

• Read the privacy policy: You can find it either on the app store listing or company's website. If you don't want to read the whole thing then focus on the sections on data collection and sharing. Also look out for useful information on how to delete your data. 

• Limit or revoke permissions: In Apple iOS and Google Android, you can control what apps can access your data. Head to settings, and then Apps and Permissions to see what each app can access. Limit or revoke entirely, but the latter could block some app features.  

• Use the settings: It's always worth checking what additional app privacy controls you get. You can often limit some data tracking, revoke consent to certain aspects and lock down your account to some data sharing. This could help you continue to use the service more privately.  

• Delete: If you aren't sure about an app, delete it. Check the settings or privacy policy for how. And make sure all your account data is deleted, too. Periodically check unused apps on your phone, and delete them. Don't give them your data for nothing in return. Some 11% of respondents in Which?'s survey had deleted an app over how it used their data. 

Rights of replies:

AliExpress claimed that the precise location permission is not used in the UK, and the microphone permission requires user consent. It added: “We strive to create a platform where consumers can shop with confidence, knowing that their data is safeguarded in accordance with the law and our strict privacy policy. We welcome the findings from Which? as an opportunity to redouble our efforts in this area.”

Amazon said that device permissions are to provide ‘helpful features', such as ‘the ability to visualise products in their home with their device's camera or search for products using text-to-speech'. It added: “We also give customers clear control over personalised advertising by requesting consent when they visit our UK store and providing options to opt out or adjust preferences at any time.”

Bosch said that the trackers Which? detected are not used for online advertising. It said that the ‘record-audio' permission is used for a ‘chatbot functionality' and the user must explicitly grant permission. The precise location permission is used to connect appliances to the local network, and for a ‘detergent scan' feature to detect water hardness in someone's local area. Bosch said it needs user consent for this and does ‘not use this permission to track user location'.  Coarse location is based on cell towers and wifi networks, so will be accurate to within some kilometres. Because the water hardness level depends on water supplier, and can be different from one street to another, coarse location might identify the wrong water hardness level. There is another possibility for users – they can enter a postal code instead but then the accuracy could still be an issue.

A Bosch spokesperson added: “Consumer consent and security is of the utmost importance to us. Consumers always have control over what data is recorded and used through the Home Connect app, and these preferences can be updated by the end user at any time. Any data that is recorded with consent is only ever used in the interests of improving our product and service offering.”

Calm supplied some information on background but did not provide a statement for publication. A Flo spokesperson said: "We

don't over-collect data, and we never trade privacy for profit. Our users always remain in control of their data. Furthermore, Flo is the first and only health app with two ISO certifications in both Privacy & Security, and Anonymous Mode — setting the standard for digital health privacy.”

Meta (WhatsApp, Facebook and Instagram) told Which? that none of its apps ‘run the microphone in the background or have any access to it without user involvement'. It said that users must ‘explicitly approve' in their operating system for the app to access the microphone for the first time. Ring said that it doesn't ‘use cookies or trackers on the Ring app for advertising' and all per

mission as used to “provide user-facing features”. It added: “We design our products and services to protect our customers' privacy and security, and to put our customers in control of their experience. We never sell their personal data, and we never stop working to keep their information safe.”

A Samsung spokesperson said: "All our apps, including SmartThings, are designed to comply with UK data protection laws and relevant guidance from the Information Commissioner's Office (ICO). 

“Our phones come equipped with Google's Android operating system, which by default helps protect users by giving them control over what data apps can access. We fully comply with Google's operating system policies, including SmartThings. SmartThings only uses the permissions needed for the app to function properly and deliver the best possible user experience.”

Strava told Which? that people sign up for fitness apps with a ‘specific intent and understanding' that the ‘value stems from accessing, visualizing, and analyzing user data'. The company also noted that risky permission it takes, such as precise location, ‘allow Strava to provide the very service that our users are requesting'. It said that it has ‘implemented appropriate guardrails' around how data is ‘collected, shared, processed, and used'.

A Temu spokesperson told Which? that the precise location permission is ‘used to support completing an address based on GPS location' but it is not used in the UK market. It added: “Temu handles user data in accordance with local and international regulations and in line with leading industry practices. We remain fully committed to meeting UK regulatory requirements and to continuously improving transparency and user choice.”

TikTok said that privacy and security are ‘built into every product' it makes. It added that TikTok ‘collects information that users choose to provide, along with data that supports things like app functionality, security, and overall user experience'. 

Tuya said that all identified risky permissions are used for specific smart device functions, such as voice control or video storage, and the user has to opt-in.

Google/YouTube, Xiaomi, Impulse and MyFitnessPal did not respond to requests for comment, or missed the deadline to respond. Which? was unable to reach representatives at Vinted for comment.