Mobile phones are ubiquitous these days, and both spammers and scammers have responded by targeting these devices with robocalls—chances are, the IRS is not really after you, despite what that automated voice recording may have said. One way to fight back is with an app designed to block robocalls. However, while these apps may do a decent job of cutting down on unwanted robocalls, the functionality may come at the expense of your privacy.
As always, it is important to look at what permissions these apps are requesting, and of course it is good practice to limit your app grabs from trusted sources—Apple's App Store and Google's Play Store, primarily, though there are others.
Even still, it might not be enough. Dan Hastings, a security researcher from NCC Group, told TechCrunch that several popular apps designed to block robocalls also run afoul of privacy policies and expectations. Many of them collect and send user data to third-party firms, usually to the financial benefit of the developer, according to Hastings.
In some cases, there is a disclaimer nestled in an app's privacy policies, but in other cases, this behavior happens without the user's consent, Hastings claims. According to Hastings, the latter is the case with TrapCall—he says it sends phone numbers of its users to AppsFlyer, a third-party analytics firm, without alerting users to this behavior.
TrapCall is not the only app to be concerned about. Hastings says both Truecaller and Hiya upload a user's device data, including the device type, model, software version, and other information, before a user has a chance to accept the app's privacy policies. While that seems rather tame in the grand scheme of things, that type of behavior runs afoul of Apple's polices.
"Without having a technical background, most end users aren’t able to evaluate what data is actually being collected and sent to third parties," Hastings said. "Privacy policies are the only way that a non-technical user can evaluate what data is collected about them while using an app."
Hastings sent emails to the developers of these apps to let them know about the apparent privacy violations, and to TrapCall's credit, the developers updated the app's privacy polices, though only after Apple got involved.
Likewise, a spokesperson for Truecaller said the developers have since implemented a fix to be in compliance with Apple's app guidelines. Hiya, meanwhile, said it does send certain data to third parties, but says it does not collect personal information.