Cyber Brew: Insights from our application security expert

The hidden data collectors in your pocket

Aleksandra: What are the most concerning types of data that mobile apps typically collect without users realizing it?

Dominykas: There are many concerning data types, but I think precise geolocation data is one of the most significant. Users often don’t realize the full extent to which it is collected and shared with other companies.

You can check out a blog post that illustrates this very nicely, it’s called “Everyone knows your location: Tracking myself down through in-app ads.” The author did a deep dive into how their personal data was being transmitted and shared through mobile advertising networks, and discovered that a single mobile game was leaking their precise location data. This information wasn’t just used by the app itself but was passed along through the in-app advertising ecosystem to numerous other companies.

The most alarming part is that the author was able to use this leaked data to successfully track their own location changes and movements between different physical locations. This proves just how detailed the location data is, and how it can be pieced together over time to reveal a person’s daily habits and routines — all without their knowledge.

When to say no to mobile app permissions

Aleksandra: Many apps request access to your contacts, location, camera, and microphone. Which permission requests should we question?

Dominykas: Some app permissions are obviously more sensitive than others, but that’s not what you should focus on. The real question is much simpler — does a permission request make sense for what the app actually does?

For example, a photo editing app asking for your camera and storage is normal. But if it wants access to your contacts or SMS messages, you should stop and think. Similarly, if a simple offline game asks for your location or microphone access, you shouldn’t comply. 

Our research on app permissions revealed that 87% of Android apps and 60% of iOS apps requested permissions that they don’t even need to function. So be cautious and always think if a permission matches the app’s purpose. 

Luckily, operating systems have some privacy controls in place. For example, the Android system categorizes permissions, with the most sensitive group called “Dangerous permissions.” This group includes permissions to access your contacts, location, camera, or microphone. Android requires the app to ask you for these one by one.

iOS also asks for your explicit permission before apps can access sensitive information or folders like your photos, location, and microphone. iOS 14.5 introduced something called App Tracking Transparency — it’s a feature that allows you to choose whether an app can track your activity across other companies' apps and websites for the purposes of advertising or sharing with data brokers. This feature adds a layer of privacy so why not use it, right?

Ultimately, it’s not about memorizing a list of bad permissions. It’s about applying a simple rule — if a permission request seems unnecessary for the app’s purpose, you should be skeptical about it.

If a permission request seems unusual for the app’s purpose, you should be skeptical and think twice.

Taking back control of your data

Aleksandra: How can we effectively limit data collection while still maintaining app functionality?

Dominykas: It all comes down to shifting our mindset from being passive users to becoming active protectors of our own data. And everyone can do that with two useful habits.

The first habit is what I call “good phone hygiene.” Think about it — your phone is with you all day long. It holds your conversations, photos, location history, passwords, and so on... All of this information is incredibly personal. So you need to treat it with care.

Go into your phone’s privacy settings once a quarter and just look around. Which apps have access to your microphone? Which ones are tracking your location? If you see an app you haven’t used in months, just delete it. It’s digital decluttering, and it’s one of the simplest yet most powerful things you can do to protect your personal information.

The second habit is to actively minimize your digital footprint. This is where the apps you only need for a short time come in. Let’s say you’re signing up for a service just to get a one-time coupon. Why give it your real email address? Use a temporary email. This way, the company won’t be able to track you long-term, and it will also keep your main inbox clean.

As for passwords — never, ever reuse them. Use a password manager to create unique ones for every single app and to store them safely so you don’t have to memorize all of them, just the master password for the password manager app.

By providing the absolute minimum information an app needs to function, you’re not just protecting your data but you’re also taking back control, one app and one permission at a time.

Digital decluttering is one of the simplest and most powerful things you can do to protect your personal information.

How innocent apps become security backdoors

Aleksandra: How do seemingly innocent apps sometimes create security backdoors into our devices or data?

Dominykas: It’s a type of Trojan Horse problem in security. An app can look completely innocent on the surface — a game or a photo editor — but it can create a backdoor in one of two ways: either through an unintentional flaw within its code, or if malicious actors use it as a delivery system for an attack from the outside.

Let’s start with the first case — the “inside job.” Many app developers don’t write every single line of code themselves. They use pre-built components called third-party libraries for common functions like processing images, handling animations, or managing user authentication. The problem is, if that third-party library has a vulnerability, it gets copied into every app that uses it.

A perfect example happened with one messaging app a few years ago. Imagine getting a fun animated sticker from a friend. It seems perfectly harmless. However, in older versions of the app, the code that processed those animated stickers had a flaw — a specific type of bug called a heap buffer overflow. A specially crafted sticker could exploit this bug to write malicious code into the device’s memory, potentially giving an attacker a foothold.

This is a huge hidden threat because research shows developers are often slow to update these libraries, which means these doors remain open for a long time.

The second case is when the app itself is innocent, but someone uses it as a vehicle for an attack. This happens most often with malvertising and fake apps.

Malvertising is when malicious actors buy ad space within legitimate apps. You could be playing your favorite game, and an ad pops up that looks real. Once you click it, it directs you to a site that tricks you into installing malware. Recently there was a major campaign where malicious ads in legitimate apps pushed advanced crypto-stealing malware to Android users worldwide. The app you were using was fine, but it served you a weaponized ad.

And this brings us to the biggest risk of all — downloading apps from outside official stores. Why is it risky? Because attackers create fake versions of popular apps that look exactly like the real thing. But underneath that familiar interface, they’re packed with malware specifically designed to steal your passwords, banking information, and personal data.

One of the biggest risks is downloading apps from outside official stores.

Hidden security tools in your smartphone

Aleksandra: What built-in tools do smartphones offer to monitor and restrict app activities that most users don’t utilize?

Dominykas: Most people assume they’re at the mercy of their apps, but the truth is, our phones already have incredibly powerful, built-in tools to fight back. The biggest problem is that these features are often buried in settings menus and aren’t well-publicized.

On Android, the three most useful app security features are:

• The Privacy Dashboard. It’s a simple timeline that shows you exactly which apps accessed your camera, microphone, or location in the last 24 hours. It’s the best way to spot suspicious behavior.
• Permission Manager and Special App Access menus. This section is where you can control the most powerful permissions, like which apps can access all your files or modify system settings. Check it regularly to spot apps that have gained a lot (possibly too much) control over your device.
• App Pinning. This lets you lock your phone to a single app before handing it to someone. They can’t switch apps or snoop through your phone until you unlock it.

On iOS, the hidden gems are:

• The App Privacy Report. You have to turn it on, but once you do, it acts like a detailed private investigator’s report for every app. It shows you how often an app accessed your data, like your photos and contacts, but more importantly, it shows you every single third-party web domain the app is communicating with in the background.
• Content and Privacy Restrictions. This is the master control panel. You can use it to completely lock down core permissions. For example, you can globally disable microphone access for all apps or prevent any app from changing your contact settings.

Both platforms give you deep control far beyond the initial “yes” or “no” permission pop-up. The challenge is just knowing these tools are there and taking a moment to use them.

Both Android and iOS have built-in tools for handling app security.

Key takeaways: Your mobile security action plan

Based on our conversation with Dominykas, here’s the list of tips on how to improve your mobile app security:

Your app security basics:

• Stick to official app stores. Apps from unknown sources may contain malware disguised as legitimate applications.
• Apply the context rule. Before granting permissions, ask yourself: “Does this app actually need this access to function?” If not, deny it.
• Keep your apps updated. Regular updates often contain security fixes for vulnerabilities in third-party libraries.

Extra security steps:

• Audit your apps quarterly. Check which apps have access to your microphone, camera, and location. Delete apps you haven’t used in months.
• Use masked emails and unique passwords. For temporary or one-time apps, use disposable email addresses and always create unique passwords for each account with a password manager.

• Explore your phone’s privacy tools. Find and activate the Privacy Dashboard (Android) or App Privacy Report (iOS) to monitor what your apps are actually doing.

Advanced protection:

• Use built-in restrictions. Set up Content and Privacy Restrictions (iOS) or Special App Access controls (Android) to create additional barriers.
• Practice app pinning. When lending your phone, use app pinning to prevent others from accessing your personal data.

Remember, mobile security isn’t about becoming paranoid — it’s about being an active participant of your own digital life rather than a passive user who accepts every request without thinking.