NEW YORK, July 22: Some of the world’s most widely used smartphone apps have come under scrutiny for demanding extensive access to personal data, often beyond what’s necessary for basic functionality, according to a new investigation by consumer watchdog Which?

The study, conducted with cybersecurity experts from Hexiosec, analyzed 20 popular Android apps spanning social media, online shopping, smart home, and fitness categories. The findings reveal that all of them requested "risky" permissions—such as access to users’ microphone, location, and device files—raising significant privacy concerns.

While apps like Facebook, Instagram, TikTok, Amazon, and WhatsApp are marketed as free, Which? warns that users are often paying with their personal information. “Millions of us rely on apps each day for everything from health tracking to shopping,” said Harry Rose, editor of Which? “But our research shows that users may be surrendering vast amounts of data—often unknowingly.”

Together, the 20 apps have been downloaded more than 28 billion times globally. If installed on one device, these apps would collectively request 882 permissions. Among these, Xiaomi Home requested the highest number — 91 permissions in total, five of which were flagged as risky.

Risky permissions include those that allow apps to record audio, access precise GPS location, read internal files, or even overlay content on top of other apps—often without any clear user benefit.

Samsung’s SmartThings app followed with 82 requested permissions (eight risky), with Facebook demanding 69 (six risky), and WhatsApp asking for 66 (six risky).

The apps that sought permission to draw over other apps—creating pop-ups—and those that activate when a phone is turned on, were also cause for concern. TikTok, for instance, requested 41 permissions (three risky), and YouTube sought 47 (four risky).

Xiaomi Home and AliExpress were the only two apps found to send user data to servers in China, including suspected advertising networks. While this was disclosed in both apps’ privacy policies, experts noted the potential implications for user data security.

AliExpress requested six risky permissions, including precise location, microphone access, and file reading. It also sent users an overwhelming 30 promotional emails within a month, despite no specific permission request for email marketing.

Temu, another Chinese online retailer, was criticized for aggressively pushing users into subscribing to marketing emails—often without them realizing it.

The Which? team advised consumers to take several steps to safeguard their privacy:

Some apps, like Ring and WhatsApp, may require microphone access for core functionality. However, the necessity of certain permissions—like tracking which apps are open or recently used—is questionable, the experts said.

Apps including Facebook, WhatsApp, AliExpress, and Strava were found to seek such permissions.

The research was conducted using Android devices; permission settings may differ for Apple iOS users.

In response to the findings:

Companies such as Google (YouTube), Xiaomi, Impulse, and MyFitnessPal did not respond to requests for comment.