The popular apps that are SPYING on you: Cybersecurity experts issue urgent warning over 'data hungry' apps that can access your location, microphone and data

They're some of the biggest apps in the world, used by hundreds of millions of people every day. 

But according to a new investigation, 'data hungry' smartphone apps like Facebook and Instagram ask for 'shocking' levels of access to your personal data.

Experts at consumer champion Which? investigated 20 popular apps across social media, online shopping, fitness and smart home categories. 

They found all of them ask for 'risky' permissions such as access to your location, microphone, and files on your device – even when they don't need to. 

The experts urge people to be more careful about what exactly we agree to when we download an app and mindlessly agree to permissions. 

We could be compromising our privacy when we hastily tap 'agree'. 

'Millions of us rely on apps each day to help with everything from keeping on top of our health and fitness to doing online shopping,' said Harry Rose, editor of Which?

'While many of these apps appear to be free to use, our research has shown how users are in fact paying with their data – often in scarily vast quantities.'  

Which? researchers worked with experts at cybersecurity firm Hexiosec to assess the privacy and security features of 20 popular apps on an Android handset. 

The list included some of the biggest names in social media (including WhatsApp, Facebook, Instagram, TikTok), online shopping (Amazon, AliExpress) the smart home (Samsung Smart Things, Ring Doorbell) and fitness (Strava). 

Combined, the 20 apps have been downloaded over 28 billion times worldwide – meaning the average UK adult is likely to have several of them on their phone at any given time. 

If someone were to have all 20 downloaded on their device, collectively they would grant a staggering 882 permissions – potentially giving access to huge amounts of an individual’s personal data.

Overall, the team found Chinese app Xiaomi Home asked for a total of 91 permissions – more than any other app in the study – five of which are described as 'risky'. 

Risky permissions include those that access your microphone, can read files on your device, or see your precise location (usually referred to as 'fine location'). 

Such data is a valuable commodity and may allow firms to target users with 'uncannily accurate adverts'. 

Samsung's Smart Things app asked for 82 permissions (of which eight are risky), followed by Facebook (69 permissions, six risky) and WhatsApp (66 permissions, six risky). 

Xiaomi Home was also one of two apps (alongside AliExpress) to send data to China, including to suspected advertising networks – although this was flagged in the privacy policy by both.

Ali Express requested six risky permissions such as precise location, access to microphones and reading files on the device. 

AliExpress also bombarded users with a deluge of marketing emails after download (30 over the course of a month) but the researchers did not see any specific permission request from AliExpress to do so. 

Temu, another Chinese-owned online marketplace, also gave a heavy push to sign up to email marketing – which many users could easily agree to without realising, the experts reasoned. 

Among social media apps, Facebook was 'the most keen for user data' as it wanted the highest number of permissions (69 in total, six of which risky), followed by WhatsApp (66 altogether, six of which risky). 

TikTok, meanwhile, asked for 41 permissions, including three risky ones, including the ability to record audio and view files on the device, while YouTube asked for 47 permissions, four of which were 'risky'. 

Overall, 16 of the 20 apps requested a permission that allows apps to create windows on top of other apps – effectively creating pop-ups on your phone, even if you opted out of the app sending notifications.

Seven also wanted a permission that allows an app to start operating when you open your phone even if you haven't yet interacted with it. 

In some cases there are clear uses for risky permissions – for example the likes of WhatsApp or Ring Doorbell may need microphone access in order to carry out certain functions.

But other examples the need for risky permissions was less clear cut, according to Which?

For example, four apps – AliExpress, Facebook, WhatsApp and Strava – requested permission to see what other apps recently used or currently running.

The researchers stress that the investigation was conducted on an Android phone and that permissions may vary on Apple iOS devices. 

But we should all be more careful of tapping "yes" to permissions while mentally on 'autopilot' without really being aware of what we're agreeing to, Mr Rose said. 

'Our research underscores why it’s so important to check what you’re agreeing to when you download a new app,' he added. 

The full findings can be read on the Which? website. 

In response to the findings, Meta (which owns WhatsApp, Facebook and Instagram) said none of its apps 'run the microphone in the background or have any access to it without user involvement'. 

Meta also said that users must ‘explicitly approve’ in their operating system for the app to access the microphone for the first time. 

A Samsung spokesperson said: 'All our apps, including SmartThings, are designed to comply with UK data protection laws and relevant guidance from the Information Commissioner's Office (ICO).' 

Meanwhile, TikTok said that privacy and security are 'built into every product' it makes. It added: TikTok 'collects information that users choose to provide, along with data that supports things like app functionality, security, and overall user experience'. 

Strava said that risky permission it takes, such as precise location, allow it to 'provide the very service that our users are requesting'. It said that it has 'implemented appropriate guardrails’ around how data is ‘collected, shared, processed, and used'. 

Amazon said that device permissions are to provide 'helpful features', such as 'the ability to visualise products in their home with their device’s camera or search for products using text-to-speech'. It added: 'We also give customers clear control over personalised advertising by requesting consent when they visit our UK store and providing options to opt out or adjust preferences at any time.' 

AliExpress claimed that the precise location permission is not used in the UK, and the microphone permission requires user consent. It added: 'We strive to create a platform where consumers can shop with confidence, knowing that their data is safeguarded in accordance with the law and our strict privacy policy. We welcome the findings from Which? as an opportunity to redouble our efforts in this area.' 

Ring said that it doesn’t 'use cookies or trackers on the Ring app for advertising' and all permission as used to 'provide user-facing features'. It added: 'We design our products and services to protect our customers’ privacy and security, and to put our customers in control of their experience. We never sell their personal data, and we never stop working to keep their information safe.' 

A Temu spokesperson said precise location permission is ‘used to support completing an address based on GPS location’ but it is not used in the UK market, adding that it 'handles user data in accordance with local and international regulations and in line with leading industry practices'.

Google (representing YouTube), Xiaomi, Impulse and MyFitnessPal did not respond to requests for comment.