These Robocall Blocking Apps May Be Secretly Selling Your Data
TrapCall, Hiya, Truecaller said to violate privacy guidelines
LAS VEGAS -- Many robocall-blocking apps for smartphones send your phone number and other identifying information to advertisers, and almost all connect to either Facebook or Google, security researcher Dan Hastings said in a presentation this past weekend at the DEF CON 27 hacking conference here.
Hastings looked at about 10 robocall blockers in the iOS App Store and analyzed which online services they communicated with. He also read their privacy policies and found that almost all of the apps didn't meet Apple's own privacy guidelines, which every app is supposed to follow.
"Robocall-blocking apps have access to your phone number, your contacts, even your text messages and voicemails," Hastings said. "Is this information leaked to third parties, such as data brokers or analytics companies?"
In some cases, the answer appears to be yes. Hastings said the TrapCall app sends your phone number to three other companies. The Hiya app sends your data to third-party analytics companies before you even accept the privacy policy, he said.
Meanwhile, Truecaller's privacy policy said it may collect personal information from other apps, Hastings said.
"I didn't observe that Truecaller was actually doing this," he said. "But it's definitely against Apple's privacy guidelines."
MORE: Stopping Robocalls: What the Big Four Carriers Are Really Doing
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Such violations of Apple's privacy guidelines are what spurred Apple to temporarily shut down some Facebook and Google apps this past spring after both companies were caught using features meant for in-house use in market-research apps in the App Store.
The other iOS apps Hastings looked at -- Call Blocker, Call Protect, Mr. Number, Nomorobo, Numbo, RoboKiller, SpamKiller and YouMail -- had less serious privacy violations, but all except Mr. Number and Call Protect connected to Facebook upon launching, as did Hiya, TrapCall and Truecaller. (Call Protect is not to be confused with AT&T's Call Protect.)
Hastings said he contacted Apple about the privacy-guidelines violations of the robocall-blocking apps, but the only response he had received by the time of his presentation Sunday (Aug. 11) was that the issue would be passed along to the App Store review team.
Tom's Guide reached out to Apple for comment, and we will update this story if Apple responds.
Hastings also contacted Hiya and TrapCall, who told him they were working on fixing the privacy policies, but Hastings said neither of their privacy policies had been corrected as of Aug. 9. Truecaller, he said, never responded to his inquiries, but that its privacy policy "magically changed" the day Hastings contacted Apple.
"Apple clearly isn't monitoring apps' privacy policies for compliance with their guidelines," Hastings said. "Apps need to get better about abiding by privacy polcies, and users deserve to know how apps handle their data."
Asked by an audience member if he'd found any robocall-blocking apps that "weren't terrible," Hastings punted.
"All of them send data to analytics companies," he said. "They don't need to -- all the blocking technology is within the app. There were a couple that were incredibly simple, so I liked those the best. But I stopped using all robocall-blocking apps, and now I get a ton of robocalls."
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.