Robocall blocking apps, such as Truecaller and Hiya, have been popular among the users. These apps not only save the users from the annoyance and frustration of taking unsolicited, scam and robocalls, but also often help them identify unknown numbers. While that sounds interesting, ironically, these apps that seemingly take care of users’ privacy actually breached their data privacy. Researchers have found many of these apps collecting users’ data, and sometimes, sharing it with third parties.
Robocall Blocking Apps Privacy Breach
A security researcher Dan Hastings from the NCC Group has reported about some robocall blocking apps breaching users’ privacy. As elaborated in his blog post, the apps used to collect users’ data including chats and activities, often shared some details including phone numbers with third parties.
Hastings highlighted that the problem appeared with what the apps presented in their privacy policies, and what they actually do. He analyzed around 10-15 of such apps, including Truecaller, Hiya, and TrapCall.
The researchers could easily notice such kind of privacy violations even by apps on Apple’s App Store. That’s a clear violation of Apple’s policies for apps as well. Explaining this problem in the blog post, he stated,
How The Apps Responded
In response to Hasting’s findings, Truecaller, TrapCall and Hiya clarified their stance. According to TechCrunch, Truecaller spokesperson Manan Shah succinctly assured.
We comply to Apple guidelines.
Whereas, Hiya, as quoted by CNET and TechCrunch, said in its statement,
While it is true that Hiya currently sends some basic device data to third party services upon opening the app (a standard industry practice in compliance with Apple’s guidelines), that does not and has never included phone numbers or any Personally Identifiable Information (PII).
We are currently working on strengthening our privacy even further by re-submitting our apps so that even this basic device information is not shared prior to explicit consent by the user.
In addition, TrapCall also clarified in its statement that it shares users’ phone numbers with specified service providers only. According to CNet,
TrapCall only shares phone numbers with service providers who power our internal analytics and app messaging platforms. Additionally, service providers are prohibited from using TrapCall data for their own or any other purpose.
Hastings suggests that apps should make their privacy policies clearer and more transparent.
More details about Hasting’s findings can be obtained from his talk on August 11, 2019, at the Defcon’s Crypto and Privacy Village.
Let us know your thoughts in the comments section.