Comparitech reveals widespread privacy gaps in mobile shopping apps ahead of holiday season – SiliconANGLE

A new study out today from tech research site Comparitech delves into the online apps ahead of the holiday shopping period, revealing alarming privacy concerns for consumers.

The study analyzed 91 popular shopping apps and discovered that the average app requests 26 permissions, with eight of those classified as “dangerous” by Android standards. Permissions that are classed as “dangerous” by Android are ones that “give your app additional access to restricted data or let your app perform restricted actions that more substantially affect the system and other apps.”

The granted permissions could potentially give apps extensive access to personal data, including camera, location, contacts and device storage, raising significant privacy red flags for unsuspecting holiday shoppers.

Though the study notes that some shopping apps will require access to these permissions to provide the service, such as finding deals closest to a person’s location, many encroach on user privacy by requesting access to unnecessary permissions.

The Comparitech researchers looked into whether these permissions were covered in the apps’ privacy policies, which, since they’re high-level permissions, they should be. The results included 32 apps requesting access to the camera permission or media files failing to include this in their privacy policies. Twelve apps also requested access to precise location data but failed to cover it in their privacy policies.

The study found that the most prevalent dangerous permissions are focused on reading external storage, accessing precise and approximate location data and enabling camera function access. The permissions grant apps significant insight into users’ personal device information and activities.

The researchers uncovered a particularly critical concern, with 60% of the analyzed apps potentially violating Google’s privacy policy standards, highlighting systemic issues in data transparency.

The most frequent omissions were related to data retention periods, with 19 apps failing to specify how long they would keep user data and 15 apps lacking a clear policy on how users could request data deletion. The lack of clarity is noted as leaving consumers in the dark about the lifecycle of their personal information.

Some examples of apps behaving badly include the Groupon app requesting access to the camera function, but there’s no mention of requiring access to the camera or media functions on the device in its privacy policy. Other examples of those omitting the camera function permissions in their privacy policy include Rakuten and Livelo: juntar e trocar pontos.

Twelve apps also omitted that their manifest requested access to the device’s location. This included DHgate-online wholesale stores, Hepsiburada: Online Shopping and Cdiscount. Hepsiburada was also found to have failed to provide developer contact details, a data retention period and how users can have their data deleted within its privacy policy.

Though some of those shopping services aren’t well-known, the app that topped the list for the most dangerous permissions needs no introduction: Amazon Shopping. The Amazon app was found to request the most permission of any app tested — 59 — with 20 of those ranked as “dangerous.” Access requested by Amazon’s app included the device’s location, camera, media, contacts, calendar and various Bluetooth features.

“Before you download and start using an app, it’s a good idea to look at what permissions it requests access to on the Google Play store,” Comparitech’s researchers concluded. “Reading the privacy policy will also help you understand why this data is collected, how it may be shared, how long it’s stored for and how you can have it deleted.”

Image: SiliconANGLE/Ideogram