Urgent warning for shoppers as cybersecurity experts discover 62 popular apps that can track your exact location to within just a few feet
As Black Friday approaches this week, millions of people will be turning to their favorite shopping apps in hopes of bagging a bargain.
While these bargains are just a few taps away, many of these platforms can track your personal information as soon as you install them, experts warn.
Cybernews researchers analyzed 71 of the world’s most popular shopping apps on the Google Play Store, including Amazon, eBay, Ikea, Samsung and Lidl.
A total of 62 users request permission to track users’ exact location, allowing them to determine a user’s position within a radius of just three meters.
Cybernews has released an interactive tool that lets you search your chosen shopping app and see what dangerous “permissions” it requests.
Dangerous permissions give an app intrusive access to limited user data or allow the app to perform actions that could compromise privacy.
“With the shopping season upon us, your favorite shopping apps may offer more than just Black Friday deals – some may also track your personal information,” said Paulina Okunyte, researcher at Cybernews.
‘The convenience of getting the best deals with one click can come at the expense of your privacy.’
According to cybersecurity experts, your favorite shopping apps may offer more than just Black Friday deals. While great value purchases are just a few taps away, many of the platforms can also track your personal information
When you install a shopping app on your device, you’ll be asked to grant it various ‘permissions’.
These permissions can give apps access to various features on your phone, such as your camera, microphone, direct messages, calls, photos, and more.
“While some of these permissions are essential to the operation of the app, some may put your private information at risk,” Ms Okunyte said.
The team examined whether the 71 most popular shopping apps in the Google Play Store ask for any of 40 “dangerous permissions” that could compromise user privacy.
Tata Neu, an all-in-one shopping and payment app developed by India-based Tata Group, demands 19 infringing permissions from its users – more than any other.
Taobao, owned by Chinese giant Alibaba, asks for 18 dangerous permissions, while Lazada, another shopping platform under the same group, asks for 17.
When granted permission, all three of the worst offenders – Tata Neu, Taobao and Lazada – can access location, camera and microphone, read contacts on the device and access calendar and saved files.
Tata Neu can also read users’ text messages and ‘phone status’, which includes information such as phone number, network status, network operator, IMEI codes, SIM card details and internet service provider information.
This chart ranks apps based on the number of permissions they request. The top three consists of Tata Neu, Taobao and Lazada, while Amazon is tied for fourth
Tata Neu, an all-in-one shopping and payment app developed by India-based Tata Group, requires 19 intrusive permissions from its users – more than any other
In fourth place is Amazon, which requests 16 permissions, including access to the user’s location and camera, phone status and external storage.
Almost all apps analyzed (66) – including AliExpress, Costco, eBay, Samsung, Nike, Ikea and Lidl – ask users for permission to post notifications.
The ability to post notifications is a concern because malicious or hacked apps can abuse this feature to send unwanted ads, phishing links, or misinformation.
Researchers also found that the vast majority (62) ask to track users’ exact location, while 62 ask for access to the device’s camera.
Meanwhile, 54 asks to read from and write to the device storage, meaning it retrieves existing information and stores new information on your device.
And if you get permission, 37 will record audio through your device’s microphone, while 36 will read your phone status.
However, not all apps posed a big risk to your private data: Wallapop, a Spanish marketplace, and Amazon India Shop didn’t ask for any dangerous permissions at all.
JUMIA, a Nigerian market, only asks for one dangerous permission, while Action, a Dutch discount store chain, asks for two permissions.
At the other end of the scale, Wallapop, a Spanish marketplace, and Amazon India Shop don’t require dangerous permissions at all
Lidl app asks to post notifications, record audio, write to external storage and more, researchers say
Cybernews – which published the full findings in a blog post on his website – says the public should always review an app’s permission requests before granting it access.
Avoid an app entirely if it asks for too many permissions, especially if they seem unnecessary for the app’s intended functionality, it says.
“Remember that you can always give permission later if you need a specific feature,” Cybernews said in a statement.
“Most users tend to grant all permissions automatically, but it’s safer to start with auto-deny and make adjustments as you go.”