Shopping apps request intrusive data permissions, report finds

A new study by Cybernews has revealed that many popular shopping apps request access to sensitive user data, raising concerns over privacy as the holiday shopping season begins. The analysis covered 71 shopping apps on the Google Play Store, uncovering a pattern of intrusive permissions that could lead to significant privacy risks.

The report highlights the Tata Neu app, developed by India's Tata Group, as the most intrusive.

It requires 19 potentially dangerous permissions. Following closely are Taobao, owned by China's Alibaba Group, with 18 permissions, and Lazada, another Alibaba platform, with 17.

These apps request access to a user's location, camera, microphone, contacts, and files. Tata Neu stands out for its ability to read SMS messages and phone state, which includes details such as phone numbers, network status, SIM card details, and IMEI codes. Additionally, the app can access user accounts associated with the device, such as Google or Meta accounts.

Amazon Shopping ranks fourth, demanding 16 permissions, including access to location, camera, phone state, and external storage.

The study found that most apps request permissions for features beyond their core shopping functions. Of the 71 apps analysed, 66 sought permission to post notifications. While common, such access could be misused to send ads, phishing links, or misinformation. This applies to apps such as Shein, Aliexpress, Costco, eBay, Samsung, Nike, Ikea, and Lidl.

Sixty-two apps, including Amazon, Shein, and Nike, request precise location data, enabling them to pinpoint a user’s location within metres. This data, if mishandled, could lead to tracking or surveillance.

The same number of apps sought access to device cameras. Permissions for photos, videos, and video calls could potentially be exploited for unauthorised recording. Popular apps like Aliexpress, Costco, and Lidl are among those requesting this access.

Fifty-four apps, including Cider and Costco, requested permissions to read and write data on external storage. This could allow apps to access personal files and documents. Misuse of this permission could result in data breaches or loss.

Thirty-seven apps, including eBay and Aliexpress, were found to access microphones. Such access could enable recording of conversations without user knowledge, posing significant privacy risks.

Thirty-six apps sought permission to read phone state. This allows identification of the device and its user, opening the door to potential interception of communications.

Cybernews researchers advised caution when granting permissions to apps. “Most users tend to grant all permissions automatically, but it’s safer to start with auto-reject and adjust on the go,” they said.

Users are encouraged to review app permissions and limit access to sensitive features unless necessary for app functionality.

HT