According to a recent survey, nearly 1 in 5 shoppers will use a shopping app to do their holiday shopping this year. But as they hit the download button and start scrolling through all of the latest deals, are they giving away more than they bargained for?
To find out, we analyzed what permissions 91 of the most popular shopping apps were requesting after download. On average, each app requested access to 26 permissions, eight of which were classed as high-level or “dangerous” by Android.
Permissions that are classed as being “dangerous” by Android are ones that “give your app additional access to restricted data or let your app perform restricted actions that more substantially affect the system and other apps.” This includes those that request access to one or more of the following groups: body sensors, calendar, calling, camera, contacts, GPS location, microphone, storage, and texting.
While some shopping apps will require access to these permissions to provide the service, e.g. to find the deals closest to your location, many could be encroaching on your privacy by requesting access to unnecessary permissions. We also looked to see whether these permissions were covered in the apps’ privacy policies, which, as they’re high-level permissions, they should be.
Our findings highlight that 32 of the apps requesting access to the camera permission and/or media files failed to include this in their privacy policies. 12 apps also requested access to precise location data but failed to cover this in their privacy policies.
While looking at these privacy policies, we also examined whether or not they covered all aspects of Google Play’s privacy policy standards. We found that 60 percent are in potential violation of these standards (detailed below).
We’ve contacted all of the apps mentioned in this study and will update the article with their responses (here).
Key findings:
- The average app requests access to 26 permissions in total, 8 of which are classed as high-level/“dangerous”
- The most common dangerous permissions are ones that request access to read external storage (data outside of the app, e.g. stored on the device), access location data (precise geolocation data or approximate location based on cell tower or Wi-Fi data), and request access to the camera function
- 60% of apps (55 apps out of 91) potentially violate Google’s privacy policy standards
- The most common omission from privacy policies was the data retention period (not provided by 19 apps), followed by a clear policy on how users can delete their data (omitted by 15 apps)
- 44 apps also failed to state that the advertising ID (AD_ID) permission is used by the app upon download. All new apps are required to use this permission in place of any other device identifiers for any advertising purposes. The use of this identifier should be stipulated in the privacy policy
- These apps have been downloaded nearly 5 billion times
The average Christmas shopping app requests access to 8 high-level, “dangerous” permissions
When analyzing the manifests of each of the 91 shopping apps we studied, we found that each app requests 26 permissions in total. Over 30 percent of these permissions are classed as “dangerous” due to the data/control they give access to.
The top requested high-level permissions were:
- WRITE_EXTERNAL_STORAGE – Allows the app to write data to external storage on the device (e.g. outside of the app)
- READ_EXTERNAL_STORAGE – Allows the app to read data saved in external storage on the device (e.g. outside of the app)
- CAMERA – Gives the app access to the camera function of the device
- ACCESS_FINE_LOCATION – Gives the app access to the location of the device, accurate to within about 50 meters
- ACCESS_COARSE_LOCATION – Gives the app access to the location of the device, accurate to within about 3 square kilometers
As mentioned, even though it may be necessary for an app to request access to these permissions, it should be clear in the privacy policy that this permission will be requested, why it’s needed, and how it will be used.
For example, Groupon requests access to the CAMERA function but there is no mention of requiring access to the camera and/or media functions on the device in its privacy policy*. Other examples of those omitting the camera function permission in their privacy policy include Livelo: juntar e trocar pontos. We found a total of 32 apps that didn’t mention the camera function in their privacy policy but requested access upon download.
12 apps also omitted that their manifest requested access to the device’s location. These included DHgate-online wholesale stores, Hepsiburada: Online Shopping, and Cdiscount. Hepsiburada also failed to provide developer contact details, a data retention period, and how users can have their data deleted within its privacy policy.
Which apps request access to the most dangerous permissions?
According to our findings, the following apps requested access to exactly 20 high-level permissions each:
- Amazon Shopping – The Amazon app requested access to the most permissions in total (59) with 20 of these being “dangerous.” This included accessing the device’s location, camera, media, contacts, calendar, and various Bluetooth features. Amazon’s privacy policy was compliant across all areas except for its data retention period, which wasn’t included. (Amazon did respond to our request for a comment–see below–and we are waiting for clarification on its data retention period).
- Daraz Online Shopping App – The Daraz app requested access to 57 permissions in total, including the “dangerous” permissions of location data, camera, and access to calendar and contact data.
- Shop MM – Online Shopping App – The Shop MM app also requested 57 permissions in total with some “dangerous” ones including camera, calendar, and contact access.
- Shopee 12.12 – The Indonesian version of the Shopee app requested access to 54 permissions in total, including the camera and the device’s location.
- Shopee TH: Online shopping app – The Thai version of the Shopee app requested access to 51 permissions in total.
- Shopee: Mua Sắm Online – The Vietnamese version of the Shopee app requested access to 50 permissions in total.
Other apps with high numbers of dangerous permissions include AliExpress – Shopping App (19), Akulaku —Online Shopping (18), Flipkart Online Shopping App (18), and Shopsy (15). Shopsy and Flipkart also failed to give users a clear data deletion policy.
*Please note: all privacy policies were accessed using a US VPN so may differ from other country policies (where available) and these policies may have been updated since our analysis.
60% of shopping apps may violate Google Play’s standards
According to Google Play’s User Data section, privacy policies should:
- Have clear labeling as a privacy policy (for example, listed as “privacy policy” in the title).
- Feature the entity (for example, developer, company) named in the app’s Google Play store listing within the privacy policy or the app must be named in the privacy policy.
- Include developer information and a privacy point of contact or a mechanism to submit inquiries.
- Disclose the types of personal and sensitive user data the app accesses, collects, uses, and shares; and any parties with which any personal or sensitive user data is shared.
- Include the developer’s data retention policy.
- Feature the developer’s deletion policy.
- Not be presented in PDF format.
- Clearly detail the collection and use of the app set ID and commitment to these terms must be disclosed to users in a legally adequate privacy notification. We focused on the use of AD_ID here due to this now being a requirement for Google Play apps.
Across the 91 apps we covered, each category saw at least one app that was in potential violation. 19 apps failed to include a data retention policy, 15 didn’t adequately detail the developer’s deletion policy, and nine didn’t clearly describe how the app collected, used, and disclosed user data. 44 also failed to include the use of AD_ID within the privacy policy (despite this being a requested permission upon download).
The apps with the most potential violations were:
- Evouchers = 6 potential violations – UK-based Evouchers failed to provide access to a privacy policy from its Google Play listing. The link included takes the user to an FAQ page where no privacy policy information is available (including no links to a privacy policy). Evouchers was therefore found to be in potential violation of all categories as no information was available (bar PDF format as this doesn’t apply).
- OpenSooq = 5 potential violations – This popular shopping app across MENA takes the user to a “Terms of Use” page on its website where a privacy policy is mentioned but the link doesn’t work. However, as the page isn’t in PDF format and the app name is mentioned alongside the developer’s contact details this app did gain three “plus” points.
- Markaz: Shop, Dropship, Earn = 4 potential violations – Markaz has a “privacy policy” title, includes the developer’s/app’s name in the policy, doesn’t display the policy in a PDF format, and provides information on how data is collected and used. It doesn’t give users any contact details, however, and it doesn’t have clear data deletion or data retention policies.
App developer responses to our findings
We contacted all of the aforementioned apps for clarification on our findings and have received the following responses.
Amazon
“Regarding the claim that some of the device permissions are “dangerous,” we’d like to clarify that the permissions we request are safe and critical to the functionality of the Amazon Shopping app. When enabled, these permissions provide helpful features to our customers, such as the ability to visualize products in their home with their device’s camera or search for products using text-to-speech. Customers have full transparency into the device permissions and control which permissions they allow in the Permissions dashboard within the app.
“Regarding the claim about our privacy policy, we are compliant with Google Play’s privacy standards. Google requires app developers to link to their privacy policies and include information about their data retention and deletion policies and practices, such as how a user may request deletion of their account. Our Privacy Notice states that customers have the right to request access and deletion of their personal information and provides a link to a page with more information on how they can exercise these rights.”
We have asked for more details on the data retention policy as we were unable to find clarification on how long Amazon stores user data for before it is deleted.
AliExpress
“We appreciate your attention to the access permissions used by shopping apps, including AliExpress. Your efforts to highlight potential privacy concerns are valuable in ensuring user security and transparency.”
“It seems that your primary concern is whether apps obtain explicit user consent when accessing permissions. The potential risks associated with these permissions should be evaluated based on whether they are necessary for the app’s functionality and the provision of services to users, and whether the app has obtained access permissions in compliance with applicable laws and regulations.
“If the permissions are essential for the intended purpose and services, and consent has been obtained from the user in accordance with applicable laws and regulations, then it should be considered compliant. Some permissions may be sensitive, but this does not mean that all such permissions trigger risks.
“Your report mentions that our platform has 19 “dangerous” access permissions but does not specify which ones. We would like to clarify that we only request access permissions from users in specific scenarios where this is necessary for the app’s functionality and the provision of services to the user. For each permission, we ensure to obtain the user’s consent in compliance with the applicable laws and requirements.
“We are deeply committed to our users’ privacy rights and information security, considering them core to our promise of a secure and reliable platform. We have put in place thorough data security measures, including regular reviews of our data practices to uphold our ISO certifications for data security. We will persist in safeguarding user privacy and security, following all applicable laws and regulations.”
Daraz/Shop MM
“It appears that your primary concern is whether apps obtain explicit user consent when accessing permissions. The potential risks associated with these permissions should be evaluated based on whether they are necessary for the app’s functionality and the provision of services to users, and whether the app has obtained access permissions in compliance with applicable laws and regulations, if any.
“RE: Your claim that our platform requests for 20 “dangerous” access permissions – We would like to clarify that we only request access permissions from users in specific scenarios where this is necessary for the app’s functionality and the provision of services to the user. For each permission, we ensure to obtain the user’s express consent, in compliance with the applicable laws and requirements, if any.”
“Daraz is one of South Asia’s leading e-commerce platforms operating across Pakistan, Bangladesh, Sri Lanka, Nepal and Myanmar (Shop MM). Please be noted that at present, there are no legal/compliance regulations in force, in terms of data protection as mandated by law, in any of the Daraz ventures. Nevertheless, we are deeply committed to our users’ privacy rights and information security, considering them core to our promise of a secure and reliable platform. We have put in place thorough data security measures, including regular reviews of our data practices to uphold our ISO certifications for data security.”
How to keep your data safe while using online shopping apps
Before you download and start using an app, it’s a good idea to look at what permissions it requests access to on the Google Play store. You can see this by clicking on the “Data safety” section of the app page and looking at the “Data collected” section:
Reading the privacy policy will also help you understand why this data is collected, how it may be shared, how long it’s stored for, and how you can have it deleted. However, as we’ve seen, some privacy policies fail to cover all aspects of the data collected.
Therefore, you can check exactly what permissions the app is requesting through the app settings on your device. If an app is requesting a permission that you’re not happy with, you can then revoke this permission in these settings. We provide full details on how to do this here.
Methodology
First, we collated a list of the most popular shopping apps on Google Play (based on the number of total downloads). We then examined their privacy policies to see if they covered the eight key areas stipulated in Google Play’s user data policy requirements. We also looked at what data the privacy policy said the app collected.
Then, we examined the individual manifests of each of the apps to see which permissions the apps were requesting. We assigned these into two categories – “normal” and “high level.” “High level” or “dangerous” permissions are those detailed by Android as ones that “give your app additional access to restricted data or let your app perform restricted actions that more substantially affect the system and other apps.”
Privacy policies were accessed using a US VPN so other versions may have been available for users in other countries. Privacy policies are frequently updated so may have seen changes since our analysis.
When looking for the AD_ID permission, we allowed for other key terms, such as “advertising ID”, “identifiers for advertising” and “Google AD ID”
Researchers: Charlotte Bond, Mantas Sasnauskas