Robocall Blocking Apps Breaching Users’ Privacy

Robocall blocking apps, such as Truecaller and Hiya, have been popular among the users. These apps not only save the users from the annoyance and frustration of taking unsolicited, scam and robocalls, but also often help them identify unknown numbers. While that sounds interesting, ironically, these apps that seemingly take care of users’ privacy actually breached their data privacy. Researchers have found many of these apps collecting users’ data, and sometimes, sharing it with third parties.

Robocall Blocking Apps Privacy Breach

A security researcher Dan Hastings from the NCC Group has reported about some robocall blocking apps breaching users’ privacy. As elaborated in his blog post, the apps used to collect users’ data including chats and activities, often shared some details including phone numbers with third parties.

Hastings highlighted that the problem appeared with what the apps presented in their privacy policies, and what they actually do. He analyzed around 10-15 of such apps, including Truecaller, Hiya, and TrapCall.

As per his findings detailed by TechCrunch, TrapCall secretly shared users’ phone numbers with third-party data analytics firms, AppFlyer. They didn’t mention about it in their privacy policy. Nor did they ask users’ the permission for such sharing.

Likewise, Truecaller and Hiya allegedly uploaded users’ details including device model, type, and software version even before a user accepts their privacy policy. Besides, Hiya also requests permission to access location data on Android, that is seemingly irrelevant. However, the company justifies this action by saying that it helps users ‘find nearby businesses easily’.

The researchers could easily notice such kind of privacy violations even by apps on Apple’s App Store. That’s a clear violation of Apple’s policies for apps as well. Explaining this problem in the blog post, he stated,

Apple requires that each privacy policy must have a clause that provides a way for a user to “revoke consent and/or request deletion” of a user’s data. Most privacy policies say this, but then have a general statement like “contact us” as the only directive. If deleting your personal data is hard, imagine trying to find the appropriate place to report privacy violations in the app.

How The Apps Responded

In response to Hasting’s findings, Truecaller, TrapCall and Hiya clarified their stance. According to TechCrunch, Truecaller spokesperson Manan Shah succinctly assured.

We comply to Apple guidelines.

Whereas, Hiya, as quoted by CNET and TechCrunch, said in its statement,

While it is true that Hiya currently sends some basic device data to third party services upon opening the app (a standard industry practice in compliance with Apple’s guidelines), that does not and has never included phone numbers or any Personally Identifiable Information (PII).
We are currently working on strengthening our privacy even further by re-submitting our apps so that even this basic device information is not shared prior to explicit consent by the user.

In addition, TrapCall also clarified in its statement that it shares users’ phone numbers with specified service providers only. According to CNet,

TrapCall only shares phone numbers with service providers who power our internal analytics and app messaging platforms. Additionally, service providers are prohibited from using TrapCall data for their own or any other purpose.

Hastings suggests that apps should make their privacy policies clearer and more transparent.

First, privacy policies should not only become more transparent and user-friendly, but they should also actually protect the user. Second, apps must clearly describe the level of user information that is being collected when the app is viewed for the first time. Third, users should be able to opt-out of specific provisions of the privacy policy, just as they can partially accept permissions (GPS location, accessing contacts, etc.). Otherwise, privacy policies only serve to check the requirements box. They really don’t protect the user.

More details about Hasting’s findings can be obtained from his talk on August 11, 2019, at the Defcon’s Crypto and Privacy Village.

Let us know your thoughts in the comments section.

Related posts

Vulnerabilities In Cinterion Cellular Modems Threatened IoT And Industrial Devices

Google Admits Active Exploitation For Chrome Browser Zero-Day

Criminal IP and Quad9 Collaborate to Exchange Domain and IP Threat Intelligence