Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

Skip to main content

Our methodology

We checked the terms and conditions, the number of permissions asked, and which permissions were unnecessary for the top five apps in 18 categories (such as Shopping, Travel, and Gaming). We also checked how the terms and conditions differ in 18 countries around the globe, including Australia, Germany, Japan, and the US.

Key findings

87% percent of Android apps and 60% of iOS apps requested permissions that were not needed for their functions.

Out of 103 different apps, 16 Android and 18 iOS apps collected more unnecessary data than necessary data. 29 Android and 19 iOS apps collected no unnecessary data.

On average, about 20% of requested permissions were not needed for the app’s functionality. Android apps averaged four unnecessary permissions out of 19 overall requests, while iOS apps averaged one out of five.

Social networking apps asked for the most Android device permissions, including access to your location and camera. Health and fitness apps were the most demanding on iOS, also asking for permissions related to health data.

Android and iOS apps in Hong Kong and Taiwan asked for the most permissions on average. This is likely due to the differences in legislation, culture, and app popularity.

Apps in Australia, Canada, the UK, and the Netherlands collected the most personal information on average. Apps in Mexico asked for the lowest number of permissions.

What do apps want to access the most?

Nearly half of all studied apps asked for permissions related to user activities outside of the actual app. Other popular permission requests related to potentially sensitive information: access to your location, camera, photos, and microphone.

infographic what do apps want to access the most

How many permissions are not needed?

Collectively, the top five apps in each of the studied 18 categories asked for 1,808 permissions on Android and 421 permissions on iOS. Of these permissions, 433 were unnecessary on Android and 73 were unnecessary on iOS.

While the discrepancy between the overall number of permission requests on Android and iOS is staggering, this has less to do with privacy protection and more to do with Apple’s digital ecosystem. Apple’s threat model is hackers, not the apps themselves, so certain device features are automatically locked down, resulting in less overall permission requests.

In fact, iOS has fewer privacy protections for apps than Android — the user is expected to trust Apple and the app developers to be responsible for their data. Meanwhile, Android gives users more transparency and control when it comes to their choices, but in turn lacks some of the iOS in-built protections.

The Android numbers are also inflated by the system-level permissions discovered using Exodus Privacy, an auditing platform for Android apps. Overall, Exodus scans reveal that apps ask for about 50% more permissions than shown in Google Play. It is almost certain that iOS follows a similar practice, only listing the most obvious or contentious in the store.

infographic unnecessary permissions by operating system

Which apps ask for the most and least permissions?

On Android, social networking, messaging, navigation, business, and dating apps asked for the most permissions on average. When it came to unnecessary permissions, social networking, lifestyle, navigation, health and fitness, and travel apps were the most greedy.

Of particular note is that lifestyle, dating, navigation, business, and health and fitness Android apps were also found to make regular “special,” “dangerous,” or “biometric” permission requests (S/D/B), which deal with highly sensitive or personal information and system-critical processes.

At the other end of the spectrum, Android gaming apps made the least requests (10) and asked for little to no unnecessary data (less than one) on average. They also made only one S/D/B permission request on average.

On iOS, health and fitness, social networking, navigation, dating, and lifestyle apps asked for the most permissions on average. At the same time, health and fitness, social networking, navigation, weather, and education apps asked for the most unnecessary permissions.

We cannot be sure how many of these requests were related to “special,” “dangerous,” or “biometric” permissions because they are not labeled separately in iOS.

Food and drink apps asked for the lowest number of permissions on average (less than three), while productivity apps asked for the least number of unnecessary permissions (almost zero on average).

infographic permission requests by app category

Which countries have the best and worst permission track records?

On average, apps from the East Asia regions made the most permission requests — Hong Kong and Taiwan dominated both the Android and iOS charts, while Android apps from Japan and Singapore also made a strong showing. This likely stems from the nature of the popular apps studied and the different regulatory environment in the region.

When it comes to unnecessary permissions on Android, apps from Hong Kong, Taiwan, Singapore, Japan, and Brazil lead the way. Taiwan, Hong Kong, and Japan also had the highest numbers of S/D/B requests. For iOS, apps from Hong Kong, Taiwan, Sweden, and Japan made the most unnecessary permission requests on average.

On the flip side, apps from Mexico made the lowest number of unnecessary permission requests, the lowest number of S/D/B requests, and even the lowest number of permission requests overall for Android. For iOS, apps from Spain and the US made the least of overall requests, while apps from Spain, the US, Italy, and Poland made the least unnecessary requests.

infographic permission requests by country

How many permissions do specific apps want?

You can browse our findings regarding permission requests for the most popular Android and iOS apps using the interactive table. Select a category to see its top five apps and the number of permission requests (and unnecessary permission requests) they make.

infographic education mobile apps permissions

Conclusions: How to protect your privacy

  • bullet

    Do not blindly trust numbers: iOS apps may appear to be more privacy-oriented due to lower request numbers, but these results are heavily skewed by the iOS digital ecosystem. In fact, iOS apps may be giving you less information on average about what data is being collected.

  • bullet

    Some categories are more intrusive: Social networking, health and lifestyle, and navigation apps consistently top the charts for overall and unnecessary requests. Be wary when installing and using apps in these categories.

  • bullet

    Apps to be wary of: TextNow scored very poorly, with the most permissions overall on Android. Facebook made lots of requests, over a third of which were unnecessary. Wyze was also permission-happy, although it does not report what data it collects.

  • bullet

    Check before accepting: Many apps request access to device functions that are unrelated to their performance. Always consider whether the app really needs your data to do its job before you tap “Accept.”

Discover more research into our everyday digital lives

hero woman meditating phone tracking sm

Healing or hacking? Examining the hidden cost of health apps

Health apps can help us achieve peace of mind and restore our physical health. But what role does health technology play in our digital well-being? We surveyed 12,726 users worldwide to examine the use of health management apps and the unnoticed trade-off happening in the background.

Find out more
iceberg credit card stolen research sm

Tip of the iceberg: 6M stolen cards analyzed

Thousands of stolen credit cards are bought and sold every day. To understand the risks posed by credit card theft, we analyzed a dataset of 6 million credit cards available on major dark web marketplaces — just the tip of the iceberg of credit card theft worldwide.

Find out more
shopping bag account selling bot sm

Bot markets: How hackers sell your online identity

Digital bots are becoming increasingly common. They operate in fields such as customer service, search engine optimization, and entertainment. Yet not all bots may serve good intentions – many of them can be malicious.

Find out more

Want to talk? Permission granted.

If you would like to discuss our findings or need more data, please don’t hesitate to contact us by email (press@nordsec.com).