Back to Blog
Consumer Security

The 5 Apps on Your Phone That Know Too Much About You

ALAisha Lalli
Mar 11, 20269 min read

Apps collecting personal data

Here's a question worth sitting with: when did you last read the privacy policy of an app before hitting "Accept"? If the answer is never — you're not alone. Most people tap through permissions without a second thought, handing over data they'd never voluntarily give a stranger on the street. Your location. Your voice. Your face. Your browsing habits. Your shopping history. Your health.

A 2025 study by Apteco analysed over 90 of the most popular apps on Apple's App Store, measuring exactly how much personal data — data directly "linked to you" and traceable to your identity — each one collects. The findings are eye-opening. Some of the most popular apps in the world are hoovering up hundreds of individual data points per user. This isn't paranoia. It's documented fact.

At Evolving Cyber, we build software with security baked in from day one — because we believe the way software is designed determines how safe your data is. This post breaks down the five biggest offenders on your phone right now, what they're actually collecting, and what you can do about it.

1. Facebook & Instagram — The Data Empires

Let's start at the top. According to Apteco's 2025 research, Facebook and Instagram each collect a staggering 156 individual data points directly linked to your identity — more than any other app analysed in the study. Both sit under the Meta umbrella, and that shared ownership is no coincidence: it reflects a deliberately aggressive, company-wide strategy to build the most detailed profiles possible on every user.

What does 156 data points actually look like? Think name, email, phone number, date of birth, location, browsing history, purchase history, financial information, fitness data, contacts, health data — and even your sexual orientation, according to Incogni's 2025 Social Media Privacy Ranking. That report placed Meta's platforms — Facebook, Instagram, WhatsApp, and Messenger — at the very bottom of its privacy rankings across 15 major social platforms, citing repeated regulatory violations and policies that allow collection of sensitive personal information.

Facebook has faced data protection fines across Europe for multiple GDPR violations, and the FTC has also taken action in the United States. Despite this, the data collection practices remain largely unchanged. The core business model — selling targeted advertising — depends on knowing as much about you as possible.

What you can do

  • Go to Settings & Privacy > Privacy Checkup on Facebook to review what you're sharing.
  • Turn off Off-Facebook Activity data sharing in your settings.
  • Regularly audit which third-party apps have access to your Facebook account.

2. TikTok — The Always-Watching Algorithm

TikTok tops Incogni's list for data-hungry foreign-owned apps, collecting 24 distinct data types and sharing six categories with third parties — including user names, residential addresses, and phone numbers. But the headline number undersells the issue. TikTok's algorithm processes over 100 data points per user interaction to power its content recommendations, according to industry research. That includes your precise location, device specifications, browsing behaviour, clipboard contents, and biometric identifiers such as faceprints and voiceprints.

TikTok's privacy policy explicitly states that it collects information from "publicly available sources" and from third-party platforms like Meta, Google, and X. Critically, research by Internet Safety Labs has found that this background data collection continues even when the app is not actively in use. TikTok has also recently updated its policy to collect precise GPS location data (previously only coarse location was gathered in the US) and "AI interactions."

TikTok's ownership by ByteDance — a Chinese company headquartered in Beijing — has elevated these concerns to a national security debate. While a partial US divestiture has taken place, Internet Safety Labs notes that the new structure fails to eliminate concern over foreign government access to American user data, with ByteDance retaining a nearly 20% stake in the joint venture.

What you can do

  • Go to Privacy > Permissions in the TikTok app and revoke access to your microphone, contacts, and location.
  • Use TikTok in a browser instead of the app to limit device-level access.
  • Request your data export through Settings > Account > Download your data to see what TikTok has stored on you.

3. Amazon Alexa — The Listener in Your Living Room

Alexa leads all AI assistants in data collection, gathering 115 data points — more than double the 56 collected by Google Assistant, according to Apteco's 2025 analysis. But what makes Alexa uniquely concerning isn't just volume: it's the type of data and when it's collected. Alexa-enabled devices are, by design, always listening for a wake word. Every time they hear one — or mistakenly think they do — a recording is sent to Amazon's cloud servers and stored indefinitely unless you manually delete it, according to NordVPN's privacy analysis.

Those recordings aren't just processed by machines. Amazon uses a small sample of real conversations, reviewed by humans, to improve Alexa's speech recognition. The data collected spans voice recordings, text transcripts, contact lists, calendar appointments, geolocation, health information, and financial data. Amazon also links Alexa data with your full Amazon profile — shopping history, Kindle reading habits, Prime Video viewing — building an extraordinarily comprehensive picture of your daily life.

The situation with children is particularly concerning. In 2023, the FTC found that Amazon had ignored parents' requests to delete their child's voice recordings and location data, retaining them for years in violation of children's privacy laws.

What you can do

  • Open the Alexa app > More > Settings > Alexa Privacy > Manage Your Alexa Data. Set recordings to Don't Save Recordings.
  • Delete existing voice history regularly.
  • Use the physical mute button on your Echo device when you want true privacy — it hardware-disables the microphone.

4. WhatsApp — Privacy Theatre with a Meta Twist

WhatsApp markets itself as a privacy-first messaging app, pointing to its end-to-end encryption as proof. But encryption only protects the content of your messages — not everything else WhatsApp collects. According to Incogni's 2025 Social Media Privacy Ranking, WhatsApp shares Meta's position near the bottom of the privacy rankings, with policies permitting the collection of sensitive data including health information.

WhatsApp collects your phone number, contact list, usage patterns, device information, IP address, location data, and — crucially — your full address book, whether or not those contacts have a WhatsApp account themselves. When you agree to WhatsApp's terms, you're also agreeing to share significant metadata with Meta: who you message, how often, at what times, and from which location.

Incogni's research also found that 12 out of 15 major social platforms — including WhatsApp — may use personal data to train AI models. Meta has been transparent that it uses interactions across its family of apps to develop and improve its AI systems, meaning your WhatsApp conversations contribute to that broader data pool.

What you can do

  • Go to Settings > Privacy and disable Read receipts, restrict Last Seen, and turn off live location sharing.
  • Consider Signal as a privacy-first alternative — it collects minimal metadata and is open-source.
  • Opt out of sharing your WhatsApp data with Meta where available under your region's privacy laws.

5. Free Weather & Utility Apps — The Hidden Data Brokers

This one surprises people more than any other. You'd expect Facebook to harvest data. You probably haven't thought twice about your free weather app. But Tenscope's 2025 App Privacy Index — which analysed the 100 most popular free US apps — found a troubling trend of "deceptive design," where confusing interfaces and vague language are used to gain access to sensitive information. Many free utility apps — weather, flashlight, QR code scanners, file managers — are designed primarily as data collection vehicles.

These apps often request access to your precise location, contacts, camera, microphone, and storage. The data they collect is rarely used to improve the app. Instead, it's sold to data brokers — companies that aggregate personal information and sell detailed profiles to advertisers, insurers, employers, and others. A free weather app that knows your precise location 24 hours a day is worth far more to a data broker than it would be if it charged you $0.99.

Researchers at TechRadar note that many apps collect data from every aspect of our lives so data brokers can serve up eerily targeted ads — and that collected information can end up vulnerable to data breaches, misuse, and potential surveillance. A 2023 Pew Research Center survey found that 81% of US adults feel that data collected by companies is used in ways they are not comfortable with, and 70% say they have little to no trust in companies to make responsible decisions about their data.

What you can do

  • Audit your app permissions today: go to your phone's Settings > Privacy > Permission Manager (Android) or Settings > Privacy (iPhone).
  • Delete apps you no longer use — even dormant apps may still be collecting data.
  • Check privacy labels in the App Store or Google Play before installing new apps.

The Bigger Picture: Why Software Design Matters

The apps above didn't become privacy nightmares by accident. They became that way because data collection was never a design consideration — it was an afterthought at best, and an intentional revenue strategy at worst.

The Tenscope 2025 App Privacy Index puts it bluntly: good design empowers users, but what's currently widespread is design used to manipulate them. Deliberately obscure permission flows, pre-ticked consent boxes, and privacy policies written in impenetrable legalese are not bugs — they're features of an extractive system.

At Evolving Cyber, our philosophy is the opposite. We believe that building security and privacy into software from the ground up — rather than bolting it on afterward — is the only responsible way to build. But it goes deeper than engineering. We believe technology companies have an ethical responsibility to the people who use their products. Your data is not a resource to be mined. It's personal. It belongs to you. When we build software, we ask not just "does this work?" and "is this secure?" — but "is this right?" That means being transparent about what we collect, collecting only what we genuinely need, and never designing systems that exploit the gap between what users understand and what they've technically "agreed to."

Your 5-Minute Privacy Checklist

Do these right now:

  • Review app permissions.
  • Delete unused apps.
  • Clear your Alexa history.
  • Check Facebook's Off-Facebook Activity.
  • Use masked emails when possible.

Sources & Further Reading

Evolving Cyber — We build software with security in mind.