Robocall blocking apps caught sending your private data without permission

Robocall-blocking apps promise to rid your life of spoofed and spam phone calls. But are they as trustworthy as they claim to be?

One security researcher said many of these apps can violate your privacy as soon as they are opened.

Dan Hastings, a senior security consultant at cybersecurity firm NCC Group, analyzed some of the most popular robocall-blocking apps — including TrapCall, Truecaller and Hiya — and found egregious privacy violations.

Robocalls are getting worse, with some getting tens or dozens of calls a day. These automated calls demand you “pay the IRS” a fine you don’t owe or pretend to be tech support. They often try to trick you into picking up the phone by spoofing their number to look like a local caller. But as much as the cell networks are trying to cut down on spam, many are turning to third-party apps to filter their incoming calls.

But many of these apps, said Hastings, send user or device data to third-party data analytics companies — often to monetize your information — without your explicit consent, instead burying the details in their privacy policies.

One app, TrapCall, sent users’ phone numbers to a third-party analytics firm, AppsFlyer, without telling users — neither in the app nor in the privacy policy.

He also found Truecaller and Hiya uploaded device data — device type, model and software version, among other things — before a user could accept their privacy policies. Those apps, said Hastings, violate Apple’s app guidelines on data use and sharing, which mandate that app makers first obtain permission before using or sending data to third-parties.

Many of the other apps aren’t much better. Several other apps that Hastings tested immediately sent some data to Facebook as soon as the app loaded.

“Without having a technical background, most end users aren’t able to evaluate what data is actually being collected and sent to third parties,” said Hastings. “Privacy policies are the only way that a non-technical user can evaluate what data is collected about them while using an app.”

None of the companies acted on emails from Hastings warning about the privacy issues, he said. It was only after he contacted Apple when TrapCall later updated its privacy policy.

But he reserved some criticism for Apple, noting that app privacy policies “don’t appear to be monitored” as he discovered with Truecaller and Hiya.

“Privacy policies are great, but apps need to get better about abiding by them,” said Hastings.

“If most people took the time to read and try to understand privacy policies for all the apps they use (and are able to understand them!), they might be surprised to see how much these apps collect,” he said. “Until that day, end-users will have to rely on security researchers performing manual deep dives into how apps handle their private information in practice.”

Truecaller spokesperson Manan Shah confirmed it was sending data when the app was opened but later submitted a fix, which is now live. “We comply to Apple guidelines,” said the spokesperson.

Hiya conceded that it sends some device data to third-party services when opening the app but claims it doesn’t collect personal information. “We are currently working on strengthening our privacy even further by re-submitting our apps so that even this basic device information is not shared prior to explicit consent by the user,” the statement said.

A spokesperson for TrapCall did not comment when reached prior to publication.

Updated with statement from Truecaller and Hiya.