This Black Friday, around half of us will reach for our smartphones to try and bag the latest deals, with 27 percent of people preferring to do so through a retailer’s app.
But is there a privacy cost in trying to get the best deal via an app?
We analyzed 101 of the most popular Black Friday apps for Android to find out what personal information they collect after you’ve downloaded them. On average, each app requested access to nearly 29 permissions, eight of which are deemed “dangerous” or high-level by Android.
Android defines permissions as being “dangerous” if they “give your app additional access to restricted data or let your app perform restricted actions that more substantially affect the system and other apps.” These include any permissions that request access to one of the following groups: camera, microphone, calling, contacts, body sensors, texting, storage, and GPS location.
Even though accessing some of these permissions is necessary for some Black Friday apps to provide their service, many may be requesting unnecessary permissions after download. Equally, all of these permissions should be covered in the app’s privacy policy, so we checked to see if they’re clearly mentioned and defined.
Worryingly, in 27 cases, we found that apps are requesting access to a device’s camera and/or media files without specifying this in their privacy policy. 11 apps also request a device’s precise (or “FINE”) location but omit this from their privacy policy. In one case, an app’s policy explicitly stated that it “does not access your location,” but the app’s manifest suggested otherwise.
While examining the privacy policies, we also looked at whether or not they adhered to all of Google Play’s privacy policy standards (detailed below). We found 23 apps that are in possible violation of these standards.
Finally, we counted how many trackers each app uses. On average, each Black Friday app had nearly seven trackers each.
We contacted all of the developers of the apps mentioned in this piece and you can read their responses in the relevant section below.
Key findings:
- The average app requests access to nearly 29 permissions in total, 8 of which are classed as high-level/“dangerous”
- The most common dangerous permissions are ones that request access to the device’s camera, access location data (precise geolocation data or approximate location based on cell tower or Wi-Fi data), and read and write to external storage (data outside of the app, e.g. stored on the device)
- 23% of apps (23 apps out of 101) potentially violate Google’s privacy policy standards
- The most common omission from privacy policies was the data retention period (not provided by 8 apps), followed by a clear policy on how users can delete their data (omitted, restricted, or unclearly defined by 11 apps)
- The average app comes with 7 trackers, with one app (Vinted) coming with 17
- These apps have been downloaded by over 7 billion people (as per each app’s download figure on Google Play)
The average Black Friday shopping app requests access to 8 high-level, “dangerous” permissions
After analyzing each of the manifests for the 101 Black Friday shopping apps we downloaded, we found that, on average, each app was requesting access to 28.7 permissions. Out of these, eight are classed as “dangerous” because of the data to which they request access.
The most requested high-level permissions were:
- CAMERA – Gives the app access to the camera function of the device
- ACCESS_FINE_LOCATION – Gives the app access to the location of the device, accurate to within about 50 meters
- ACCESS_COARSE_LOCATION – Gives the app access to the location of the device, accurate to within about 3 square kilometers
- WRITE_EXTERNAL_STORAGE – Allows the app to write data to external storage on the device (e.g. outside of the app)
- READ_EXTERNAL_STORAGE – Allows the app to read data saved in external storage on the device (e.g. outside of the app)
As we’ve already mentioned, some of these permissions will be necessary for the app to provide customers with access to certain services. For example, a user’s location will be required for a store locator, or camera access may be required for a virtual try-on feature. However, if these permissions are required, they should be clearly defined in the app’s privacy policy so the user is completely aware of what data the app is requesting.
We found a number of instances where this wasn’t the case.
For example, Cdiscount’s privacy policy states: “The Cdiscount app does not access your location.” However, its manifest shows that it is requesting access to a user’s COARSE and FINE location. In total, we found 11 apps where access to a user’s FINE location was omitted in the privacy policy.
The popular Indian shopping app, Jiomart, also failed to mention in its privacy policy that the app requests access to a device’s camera and to read media images and videos. We found a total of 27 apps that didn’t mention camera access in their privacy policy but requested access after the app was downloaded.
Which apps request access to the most “dangerous” permissions?
According to our findings, the following apps requested access to the most “dangerous” permissions:
- Lazada – This app requested access to 61 permissions in total with 21 of these being “dangerous.” These included access to the user’s camera and “FINE” location. However, Lazada does cover these permissions in its privacy policy and adheres to Google’s privacy policy standards.
- Taobao – Taobao also requested access to 21 “dangerous” permissions with 56 permissions requested in total. It also adhered to privacy policy standards.
- Daraz – Across its 58 requested permissions, 20 are classed as “dangerous” but camera and location access were clearly stated in its privacy policy, as was all the other key information.
AliExpress, Flipkart, Shopee, and Bukalapak all requested 19 “dangerous” permissions each but did cover key permissions (e.g. camera and location access) in their privacy policies.
*Please note: all privacy policies were accessed from the UK (or a local server where privacy policy webpages were restricted to their location of origin, e.g. the US) so may differ from other country policies and these policies may have been updated since our analysis.
23% of apps potentially violate Google’s privacy policy standards
According to Google Play’s User Data section, privacy policies should:
- Have clear labeling as a privacy policy (for example, listed as “privacy policy” in the title).
- Feature the entity (for example, developer, company) named in the app’s Google Play store listing within the privacy policy or the app must be named in the privacy policy.
- Include developer information and a privacy point of contact or a mechanism to submit inquiries.
- Disclose the types of personal and sensitive user data the app accesses, collects, uses, and shares; and any parties with which any personal or sensitive user data is shared.
- Include the developer’s data retention policy.
- Feature the developer’s deletion policy.
- Not be presented in PDF format.
Across the 101 apps we covered, each category saw at least one app that possibly wasn’t meeting these standards. Eight apps didn’t clearly provide a data retention period and 10 apps either didn’t offer a data deletion policy or limited it to certain locations (e.g. specific US states).
The app with the most possible violations in its privacy policy was OZON. It didn’t provide clear developer contact information, a data retention period, or a data deletion policy.
The average Black Friday shopping app comes with 7 trackers
A tracker is a piece of code in an app (or website) that collects data about your behavior and the app’s usage. They’re typically used both to build a profile of your interests for advertising and to gather analytics to improve the app’s functionality.
All but one of the 101 apps we studied contained trackers. Vinted had the most (17), while Vivo had the least (0).
There were 74 different trackers used overall, though 58 of them were used less than 10 times. The most frequently used tracker was Google Firebase Analytics (used by 94% of the apps), followed by Google CrashLytics (used by 73% of the apps), and Facebook Login (used by 44% of the apps).
Google Firebase Analytics is a powerful tracker that collects data about how users interact with the app. So, for example, it can log events like first opens, in-app purchases, and session duration. Developers need to actively disable the automatic collection of granular location and device data. Failure to do so results in the collection of the user’s location, as well as the brand and model of their device.
Google CrashLytics is designed to send crash reports back to developers so that they can identify and correct any issues with an app’s code. It automatically collects stack traces when an app crashes, the state of the app when the crash happened, device metadata, and the Crashlytics installation UUID.
The Facebook Login tracker provides a way for users to log in to an app using their Facebook credentials. It’s typically used alongside the Facebook Share tracker.
Overall, Facebook and Google trackers make up 10 of the 74 trackers we found across the 101 Black Friday apps. More than half of the apps (52%) we looked at had at least one Facebook tracker. These trackers include Facebook Ads, which advertisers use to track user behavior (e.g. page views, clicks, and purchases). This data is sent back to Meta’s ad system so Facebook and Instagram ads can target users more efficiently.
Google trackers were used by 98% of the Black Friday apps. They include Google AdMob, which lets developers monetize apps even when users don’t make a purchase. It does this by allocating space in the app for ads. When that ad space is requested, the Google Mobile Ads SDK reports to Google, and demand comes in via real‑time bidding from advertisers. The SDK also automatically collects the user’s IP address, interaction data (such as app launches, taps, and video views), device and account identifiers, and advertising ID.
The take-home message here is that, while using shopping apps on Black Friday, your behavior is being closely scrutinized. Even if you don’t end up buying anything, the data collected about you and the adverts shown to you make companies like Meta and Google money.
App developer responses to our findings
If we receive any responses from the app developers mentioned above, we will add their replies here.
How to keep your data safe while using Black Friday shopping apps
Before you download and start using an app, it’s a good idea to look at what permissions it requests access to on the Google Play Store. You can see this by clicking on the “Data safety” section of the app page and looking at the “Data collected” section:
Reading the privacy policy will also help you understand why this data is collected, how it may be shared, how long it’s stored for, and how you can have it deleted. However, as we’ve seen, some privacy policies fail to cover all aspects of the data collected.
You can check exactly what permissions the app is requesting through the app settings on your device. If an app is requesting a permission that you’re not happy with, you can then revoke this permission in these settings. We provide full details on how to do this here.
Methodology
First, we collated a list of the most popular shopping apps on Google Play (based on the number of total downloads). We then examined their privacy policies to see if they covered the key areas stipulated in Google Play’s user data policy requirements. We also looked at what data the privacy policy said the app collected.
Then, we examined the individual manifests of each of the apps to see which permissions the apps were requesting. We assigned these into two categories – “normal” and “high level.” “High-level” or “dangerous” permissions are those detailed by Android as ones that “give your app additional access to restricted data or let your app perform restricted actions that more substantially affect the system and other apps.”
Privacy policies were accessed from the UK (or a local server where privacy policy webpages were restricted to their location of origin, e.g. the US) so other versions may have been available for users in other countries. Privacy policies are also frequently updated so some may have seen changes since our analysis.
