We checked the terms and conditions, the number of permissions asked, and which permissions were unnecessary for the top five apps in 18 categories (such as Shopping, Travel, and Gaming). We also checked how the terms and conditions differ in 18 countries around the globe, including Australia, Germany, Japan, and the US.
87% percent of Android apps and 60% of iOS apps requested permissions that were not needed for their functions.
Out of 103 different apps, 16 Android and 18 iOS apps collected more unnecessary data than necessary data. 29 Android and 19 iOS apps collected no unnecessary data.
On average, about 20% of requested permissions were not needed for the app’s functionality. Android apps averaged four unnecessary permissions out of 19 overall requests, while iOS apps averaged one out of five.
Social networking apps asked for the most Android device permissions, including access to your location and camera. Health and fitness apps were the most demanding on iOS, also asking for permissions related to health data.
Android and iOS apps in Hong Kong and Taiwan asked for the most permissions on average. This is likely due to the differences in legislation, culture, and app popularity.
Apps in Australia, Canada, the UK, and the Netherlands collected the most personal information on average. Apps in Mexico asked for the lowest number of permissions.
What do apps want to access the most?
Nearly half of all studied apps asked for permissions related to user activities outside of the actual app. Other popular permission requests related to potentially sensitive information: access to your location, camera, photos, and microphone.
How many permissions are not needed?
Collectively, the top five apps in each of the studied 18 categories asked for 1,808 permissions on Android and 421 permissions on iOS. Of these permissions, 433 were unnecessary on Android and 73 were unnecessary on iOS.
While the discrepancy between the overall number of permission requests on Android and iOS is staggering, this has less to do with privacy protection and more to do with Apple’s digital ecosystem. Apple’s threat model is hackers, not the apps themselves, so certain device features are automatically locked down, resulting in less overall permission requests.
In fact, iOS has fewer privacy protections for apps than Android — the user is expected to trust Apple and the app developers to be responsible for their data. Meanwhile, Android gives users more transparency and control when it comes to their choices, but in turn lacks some of the iOS in-built protections.
The Android numbers are also inflated by the system-level permissions discovered using Exodus Privacy, an auditing platform for Android apps. Overall, Exodus scans reveal that apps ask for about 50% more permissions than shown in Google Play. It is almost certain that iOS follows a similar practice, only listing the most obvious or contentious in the store.
Which apps ask for the most and least permissions?
On Android, social networking, messaging, navigation, business, and dating apps asked for the most permissions on average. When it came to unnecessary permissions, social networking, lifestyle, navigation, health and fitness, and travel apps were the most greedy.
Of particular note is that lifestyle, dating, navigation, business, and health and fitness Android apps were also found to make regular “special,” “dangerous,” or “biometric” permission requests (S/D/B), which deal with highly sensitive or personal information and system-critical processes.
At the other end of the spectrum, Android gaming apps made the least requests (10) and asked for little to no unnecessary data (less than one) on average. They also made only one S/D/B permission request on average.
On iOS, health and fitness, social networking, navigation, dating, and lifestyle apps asked for the most permissions on average. At the same time, health and fitness, social networking, navigation, weather, and education apps asked for the most unnecessary permissions.
We cannot be sure how many of these requests were related to “special,” “dangerous,” or “biometric” permissions because they are not labeled separately in iOS.
Food and drink apps asked for the lowest number of permissions on average (less than three), while productivity apps asked for the least number of unnecessary permissions (almost zero on average).
Which countries have the best and worst permission track records?
On average, apps from the East Asia regions made the most permission requests — Hong Kong and Taiwan dominated both the Android and iOS charts, while Android apps from Japan and Singapore also made a strong showing. This likely stems from the nature of the popular apps studied and the different regulatory environment in the region.
When it comes to unnecessary permissions on Android, apps from Hong Kong, Taiwan, Singapore, Japan, and Brazil lead the way. Taiwan, Hong Kong, and Japan also had the highest numbers of S/D/B requests. For iOS, apps from Hong Kong, Taiwan, Sweden, and Japan made the most unnecessary permission requests on average.
On the flip side, apps from Mexico made the lowest number of unnecessary permission requests, the lowest number of S/D/B requests, and even the lowest number of permission requests overall for Android. For iOS, apps from Spain and the US made the least of overall requests, while apps from Spain, the US, Italy, and Poland made the least unnecessary requests.
How many permissions do specific apps want?
You can browse our findings regarding permission requests for the most popular Android and iOS apps using the interactive table. Select a category to see its top five apps and the number of permission requests (and unnecessary permission requests) they make.
Conclusions: How to protect your privacy
Do not blindly trust numbers: iOS apps may appear to be more privacy-oriented due to lower request numbers, but these results are heavily skewed by the iOS digital ecosystem. In fact, iOS apps may be giving you less information on average about what data is being collected.
Some categories are more intrusive: Social networking, health and lifestyle, and navigation apps consistently top the charts for overall and unnecessary requests. Be wary when installing and using apps in these categories.
Apps to be wary of: TextNow scored very poorly, with the most permissions overall on Android. Facebook made lots of requests, over a third of which were unnecessary. Wyze was also permission-happy, although it does not report what data it collects.
Check before accepting: Many apps request access to device functions that are unrelated to their performance. Always consider whether the app really needs your data to do its job before you tap “Accept.”
Discover more research into our everyday digital lives
Healing or hacking? Examining the hidden cost of health apps
Health apps can help us achieve peace of mind and restore our physical health. But what role does health technology play in our digital well-being? We surveyed 12,726 users worldwide to examine the use of health management apps and the unnoticed trade-off happening in the background.
Tip of the iceberg: 6M stolen cards analyzed
Thousands of stolen credit cards are bought and sold every day. To understand the risks posed by credit card theft, we analyzed a dataset of 6 million credit cards available on major dark web marketplaces — just the tip of the iceberg of credit card theft worldwide.
Bot markets: How hackers sell your online identity
Digital bots are becoming increasingly common. They operate in fields such as customer service, search engine optimization, and entertainment. Yet not all bots may serve good intentions – many of them can be malicious.