Over 75 percent of the world’s population identified with a religion in 2020. Based on today’s worldwide population of just over 8 billion, that’s around 6 billion people who follow a religion.
While the ancient texts of many of these religions remain the same, how people access and interact with their religion has changed. For example, in the US alone, 21 percent of people said they used an app to help them read religious scriptures.
And that got us thinking.
With so many of us turning our phones to access religious content, just how safe are the apps we’re using? By using these apps to pray, schedule prayer times, meditate, and access information, are we giving away more than we’re aware of?
To find out, we analyzed 158 of the most popular religious apps (based on the number of downloads) from the Google Play Store.
We looked at the types of permissions requested by these apps and found that, on average, each app requested 21 permissions, 3.7 of which are classed by Android as being high-level or “dangerous.”
Android classes a permission as being “dangerous” if it gives your “app additional access to restricted data or lets your app perform restricted actions that more substantially affect the system and other apps.” This includes those that request access to one or more of the following groups: body sensors, calendar, calling, camera, contacts, GPS location, microphone, storage, and texting.
Although some religious apps may require access to these permissions in order to fulfill their service (eg your location to find the nearest religious building to you), many could be putting your privacy at risk by requesting access to unnecessary permissions. These permissions should also be covered in the apps’ privacy policies, so we also checked these to see if they were mentioned.
Our report suggests that 20 of the apps that request access to the camera and/or media files failed to disclose this permission in their privacy policies. 12 also failed to say that their apps requested access to precise location data upon download.
Finally, while examining these privacy policies, we also looked to see whether each of them was accurately covering Google Play’s privacy policy standards . We found that around half of them are in potential violation of these requirements.
We’ve contacted all of the apps mentioned in this study and will update the article with their responses.
A Google spokesperson provided us with the following:
The safety and security of users is our top priority, and if we discover an app that violates our policies, we take appropriate action.
Investigations into those it found to be in violation of its policies were also underway.
Key findings:
- The average religious app requests access to 21 permissions in total, 3.7 of which are classed as high-level/“dangerous”
- The most common dangerous permissions are ones that request access to read and write external storage (data outside of the app, eg, stored on the device), access location data (precise geolocation data or approximate location based on cell tower or Wi-Fi data), read the phone state (access to current cellular network information, the status of any ongoing calls, and a list of any phone accounts registered on the device), and request access to record audio and/or use the camera function
- 46% of apps (73 apps out of 158) potentially violate Google’s privacy policy standards
- The most common omission from privacy policies was the data retention period (not provided by 56 apps), followed by a clear policy on how users can delete their data (omitted by 48 apps)
- These apps have been downloaded 500 million times
The average religious app requests access to nearly 4 high-level, “dangerous” permissions
By looking at the manifests of the 158 religious apps we analyzed, we found that 102 different permissions were requested across all of the apps with each app requesting an average of 21 in total. Of the 102 different permissions, around a quarter (27) are classed as “dangerous” because of the data they’re controlling/requesting access to.
The top requested high-level permissions were:
- READ_EXTERNAL_STORAGE – Allows the app to read data saved in external storage on the device (e.g. outside of the app)
- WRITE_EXTERNAL_STORAGE – Allows the app to write data to external storage on the device (e.g. outside of the app)
- ACCESS_COARSE_LOCATION – Gives the app access to the location of the device, accurate to within about 3 square kilometers
- ACCESS_FINE_LOCATION – Gives the app access to the location of the device, accurate to within about 50 meters
- RECORD_AUDIO – Allows the app to record audio
- READ_PHONE_STATE – Gives the app read-only access to the phone state, which includes ongoing call status, cellular network information, and a list of phone accounts registered on the device
- CAMERA – Gives the app access to the camera function of the device
Although some apps will require access to some/all of these permissions in order to provide the service advertised, these permissions should be covered in the privacy policy so users are aware what will be requested, why it’s necessary for the app, and how this data will be used.
For example, 27 of the apps request access to the CAMERA function upon download but the privacy policies of 20 of these apps fail to mention this requirement. One of these is the Superbook Kids Bible App, which makes no mention of any type of media/camera access being required to use the app in its privacy policy. What’s perhaps even more concerning here is the fact that this app is also aimed toward children.
Of the 51 apps that require access to a user’s ‘fine’ location (which, as noted above, is within 50 meters of the user’s location), 11 don’t state as much in their privacy policies. And of the four that request access to ACCESS_MEDIA_LOCATION (which provides geographic locations of media on the device), one (Sri Mandir – Daily Praying App) doesn’t specify this in its privacy policy.
Which religious apps request access to the most dangerous permissions?
Our findings suggest the following apps request access to the highest number of “dangerous” permissions:
- Munabook – Quran Learning App, 15 “dangerous” permissions: Although this app requests access to the highest number of dangerous permissions, its privacy policy is clear and covers the requirements for accessing features like location data and the camera permission. It also gives users the option of deleting their data. The only potential violation comes in its access to the user’s calendar, which isn’t specified in its privacy policy.
- WeMuslim: Athan, Qibla&Quran, 15 “dangerous” permissions: This app also features a comprehensive privacy policy which covers all of the necessary standards and clearly describes what user data will be accessed, how it will be used, and how it can be deleted.
- Quran, Athan, Prayer and Qibla, 14 “dangerous” permissions: Despite covering the fact that camera and location data will be accessed in the use of this app, the privacy policy falls short in a number of areas. It fails to provide users with clear information on data usage and fails to include a data retention period and information on how the user can request their data be deleted.
- Habib | Shia Ai Quran Azan Dua, 12 “dangerous” permissions: This app clearly states that location data will be accessed in its privacy policy but fails to mention that the camera feature is required. Aside from this, it does meet Google’s privacy policy requirements.
- Sri Mandir – Daily Praying App, 12 “dangerous” permissions: As previously mentioned, this app fails to state that location data is requested upon download. But the policy does otherwise cover all of Google’s requirements.
50% of religious apps may violate Google Play’s standards
According to Google Play’s User Data section, privacy policies should:
- Have clear labeling as a privacy policy (for example, listed as “privacy policy” in the title).
- Feature the entity (for example, developer, company) named in the app’s Google Play store listing within the privacy policy or the app must be named in the privacy policy.
- Include developer information and a privacy point of contact or a mechanism to submit inquiries.
- Disclose the types of personal and sensitive user data the app accesses, collects, uses, and shares; and any parties with which any personal or sensitive user data is shared.
- Include the developer’s data retention policy.
- Feature the developer’s deletion policy.
- Not be presented in PDF format.
Out of the 158 apps we examined, violations were found in each of the above categories.
Five apps were found to be in possible violation of all these categories due to inaccessible privacy policies. These included:
- My Prayer: The privacy policy link takes users to Dropbox, where they need to sign up in order to download it
- Shia Muslim: Quran Dua Adhan: When clicking on the link in Google Play a .html file is downloaded and features no details on privacy practices
- English Bible – Offline: Users are taken to an XML file, which doesn’t work
Of the apps with readable privacy policies, the following were found to have the most potential violations with four each. All of them failed to provide clear information on how the app accesses, collects, uses, and shares data, none provided a data retention period, and none provided a data deletion policy for users (some mention data deletion but don’t provide information on how this can be carried out).
- Hisnul Muslim | حصن المسلم:
- The Book of God and My Family | كتاب الله وعترتي
- Library of Hadith of the Prophet’s Family | مكتبة حديث العترة عليهم السلام
Hinsul Muslim doesn’t provide contact details for the developer, while the other two apps (both from the same developer) don’t display the app or developer name on the privacy policy, making it unclear what it relates to.
How to keep your data safe while using online shopping apps
Before you download and start using any kind of app, it’s a good idea to look at what permissions it requests access to on the Google Play Store. You can see this by clicking on the “Data safety” section of the app page and looking at the “Data collected” section:
Reading the privacy policy will also help you understand why this data is collected, how it may be shared, how long it’s stored for, and how you can have it deleted. However, as we’ve seen, some privacy policies fail to cover all aspects of the data collected.
Therefore, you can check exactly what permissions the app is requesting through the app settings on your device. If an app is requesting a permission that you’re not happy with, you can then revoke this permission in these settings. We provide full details on how to do this here.
You can also read our previous study–Pray in privacy: apps for Muslims that respect your personal data–for examples of apps that best protect your privacy.
Methodology
To begin, we created a list of the most popular religious apps on Google Play (based on the number of total downloads). We then examined their privacy policies to see if they covered the key areas stipulated in Google Play’s user data policy requirements. We also looked at what data the privacy policy said the app collected.
Then, we examined the individual manifests of each of the apps to see which permissions the apps were requesting. We assigned these into two categories – “normal” and “high level.” “High level” or “dangerous” permissions are those detailed by Android as ones that “give your app additional access to restricted data or let your app perform restricted actions that more substantially affect the system and other apps.”
Privacy policies were accessed using a US VPN so other versions may have been available for users in other countries. Privacy policies are frequently updated so may have seen changes since our analysis.
If it’s unclear whether or not personal data is voluntarily provided by the user or is necessary for the use of the app, we have scored this as being a requirement to use the app. In cases where it’s clear users can use the app without sharing this data, this is classed as not being a requirement.
Researchers: Danka Delić, Mantas Sasnauskas
