A cybersecurity expert has warned that some robocall blocking apps can automatically send users' private data to outside servers without asking for permission.
Dan Hastings, a security researcher at NCC Group, analyzed several anti-robocall apps and found that many of them misuse users' data as soon as they load. These programs allegedly transmit private data to third-party analytics firms, which is in direct violation of privacy laws.
In his research, Hastings mentioned three supposed robocall blocking apps: Hiya, Truecaller, and TrapCall.
Misuse Of Private Data
Hiya and Truecaller were caught transferring private data from devices even before they receive permission from their users. Meanwhile, TrapCall just flat out sent users' phone numbers offsite without mentioning anything about it in its privacy policy.
Hastings also encountered other robocall blocking programs that sent users' information to Facebook as soon as the apps were activated.
"Without having a technical background, most end users aren't able to evaluate what data is actually being collected and sent to third parties," Hastings said.
"Privacy policies are the only way that a non-technical user can evaluate what data is collected about them while using an app."
Cybersecurity Threat Of Robocall Blocking Apps
Robocalls are a constant source of headache for many users. These programs would often call people repeatedly, asking them to do such things as pay fake bills or government fines. Some even use spoofing software to make the phone number look like it's from a local caller.
Phone networks have started cracking down on robocalls, but they have yet to eliminate the problem. This leaves some consumers to rely on robocall blocking apps to help keep these annoying calls from their phones.
However, Hastings pointed out that many anti-robocall apps only take advantage of a user or device data. They send this information to fraudulent analytics firms to have them monetized. These apps often bury the details of their unscrupulous activity in their privacy policies.
In the case of Hiya and Truecaller, both programs sent out various information, such as device type, mode, and software version, even before users had been able to agree to their privacy policies. Hastings said this violates Apple's rules on data use and sharing. Apps are required to obtain users' permissions first before they could use or send any data to third-party groups.
Hastings said he tried emailing the makers of the robocall blocking apps to inform them about the privacy issues. However, none of them took action regarding it. It was only after he contacted Apple directly that TrapCall changed its privacy policy.
The cybersecurity researcher also raised questions about Apple's monitoring of app privacy policies. While privacy policies may be a great idea, Hastings said apps need to do a better job at abiding by these regulations.