As we approach Black Friday this week, millions will be browsing their favourite shopping apps in the hope of bagging a bargain.
While these bargains are just a few taps away, many of these platforms may be tracking your personal data as soon as you install them, experts warn.
Researchers at Cybernews analysed 71 of the world’s most popular shopping apps on the Google Play Store, including Amazon, eBay, Ikea, Samsung and Lidl.
In all, 62 request permission to track users’ precise location, enabling them to pinpoint a user’s position within just 10 feet (three metres), they found.
Cybernews has released an interactive tool that lets you search your chosen shopping app and see which dangerous ‘permissions’ it asks for.
Dangerous permissions give an app intrusive access to restricted user data or let it perform actions that could compromise privacy.
‘With shopping season just around the corner, your favorite shopping apps might offer more than just Black Friday deals – some might also track your personal data,’ said Paulina Okunyte, a researcher at Cybernews.
‘The convenience of getting the best deals with one click might come at the price of your privacy.’
Your favorite shopping apps might offer more than just Black Friday deals, according to cybersecurity experts. While bargain buys are just a few taps away, many of the platforms might also track your personal data
When you install a shopping app on your device, you’ll be prompted to grant it various ‘permissions’.
These permissions can give apps access to various features on your phone, such as your camera, microphone, private messages, conversations, photos and more.
‘While some of these permissions are essential for the app to work, some may pose a risk to your private data,’ Ms Okunyte said.
The team looked at whether the 71 most popular shopping apps on the Google Play Store request any of 40 ‘dangerous permissions’ that can compromise user privacy.
Tata Neu, an all-in-one shopping and payments app developed by the India-based Tata Group, demands 19 intrusive permissions from its users – more than any other.
Taobao, owned by Chinese giant Alibaba, requests 18 dangerous permissions, while Lazada, another shopping platform under the same group, asks for 17.
When granted, all three of the worst offenders – Tata Neu, Taobao and Lazada – access location, camera and microphone, can read contacts on the device, and access the calendar and files stored.
Tata Neu can also read users’ SMS messages and ‘phone state’, which includes information like phone number, network status, network operator, IMEI codes, SIM card details and information about the internet provider.
This graph ranks the apps based on how many permissions they request. The top three are Tata Neu, Taobao and Lazada, while Amazon is joint fourth
Tata Neu, an all-in-one shopping and payments app developed by the India-based Tata Group, demands 19 intrusive permissions from its users – more than any other
In fourth place is Amazon, which asks for 16 permissions, including access to the user’s location and camera, phone state and external storage.
Nearly all analyzed apps (66) – including Aliexpress, Costco, eBay, Samsung, Nike, Ikea and Lidl – ask users for permission to post notifications.
The ability to post notifications is a concern because malicious or breached apps could abuse this feature to send unwanted ads, phishing links, or misinformation.
Researchers also found that the vast majority (62) ask to track users’ precise location, while 62 ask to access the device’s camera.
Meanwhile, 54 ask to read from and write to device storage, meaning it retrieves existing information and saves new information to your device.
And when granted permission, 37 record audio from your device’s microphone, while 36 read your phone state.
Not all the apps posed a big risk to your private data, however – Wallapop, a Spanish marketplace, and Amazon India Shop requested no dangerous permissions at all.
JUMIA, a Nigerian market, requests just one dangerous permission, while Action, a Dutch discount store chain, asks for two permissions.
On the other end of the scale, Wallapop, a Spanish marketplace, and Amazon India Shop request no dangerous permissions at all
The Lidl app asks to post notifications, record audio, write external storage and more, according to the researchers
Cybernews – which has published the full findings in a blog post on its website – says the public should always review an app’s permission requests before allowing it access.
Avoid an app completely if it asks for too many permissions, especially if these seem unnecessary for the app’s intended functionality, it says.
‘Remember, you can always grant permissions later if you need a specific feature,’ Cybernews said in a statement.
‘Most users tend to grant all permissions automatically, but it’s safer to start with auto-reject and adjust on the go.’