A Very Basic Framework for Apps to Avoid

This guide accompanies Native Apps Should Be Avoided Whenever Possible.

Rather than memorize a list of bad actors, learn the categories to avoid, or at least have an understanding of the breadth of collection. The named examples below are illustrations, not the boundaries of the problem.

1. Social media apps

Social media apps are the single largest category of data collection on a mobile device. The app form factor grants access to contacts, location, camera, microphone, photo library, clipboard, device identifiers, and behavioral telemetry.

The privacy advantage of using a social media service through its website are significant.

There is an additional benefit: friction. The app is designed to minimize the distance between impulse and engagement. There are lawsuits claiming addiction. Using the website adds enough friction that most people use the service less, which is independently good for attention, mental health, and the volume of data generated.

If you use social media, use it through the browser. If you must use an app, revoke every permission except the minimum required, disable background refresh, and disable notifications.

2. Messaging apps

Mssaging data is uniquely sensitive: it contains the full content of private conversations, including timestamps, participants, and often location.

Strongly prefer Signal, which is open-source, end-to-end encrypted by default, collects minimal metadata, and is operated by a nonprofit. Avoid messaging apps that are subsidiaries of advertising companies.

Where Signal isn’t an option, phone calls and SMS at least don’t require you to surrender your contact list to a third party — though neither is encrypted, and both are accessible to your carrier and to law enforcement without the protections that apply to app-based E2E encryption.

3. Keyboard apps

A keyboard app occupies the most privileged position of any app on a device. It sees every password, every message, every search query, every note-to-self.

• In 2017, the third-party keyboard ai.type leaked the personal data of 31 million users — including contacts, installed apps, IMEI numbers, and phone numbers — from an unsecured database. The free version collected substantially more data than the paid version.[1]

• In April 2024, the Citizen Lab at the University of Toronto published a report finding that cloud-based keyboard apps from eight of nine major vendors — including Baidu, Samsung, Tencent, Xiaomi, OPPO, Vivo, iFlytek, and Honor — contained vulnerabilities that allowed network eavesdroppers to intercept every keystroke in transit. Only Huawei’s keyboard was not vulnerable. The researchers estimated up to one billion users were at risk.[2]

Use your OS’s built-in keyboard. If you need a third-party keyboard, use one that operates entirely on-device with no cloud processing, and never grant it network access.

4. Pre-installed apps

Carrier bloatware. OEM utilities. Default health and fitness apps. The user never installed them, did not consent to them in any meaningful sense, and often cannot remove them. They run with elevated permissions because they ship with the firmware.

• In 2024 the FCC fined the four major US carriers a combined ~$196 million for selling real-time customer location data.[3] Pre-installed manufacturer apps from non-US OEMs have been independently audited as exfiltrating telemetry to servers in the home country.

Disable everything pre-installed that you do not actively use. Better yet, never buy a phone that you can’t select the OS. I recommend installing Graphene. If you’re using iOS take the time to carefully revoke all permissions you don’t need.

Where the OS does not allow uninstall, revoke all permissions and disable background activity.

5. Kids’ apps

COPPA violations are very common in the children’s app market. If children must use apps, pay for them. A paid app from a known developer with no advertising removes the economic incentive to embed tracking SDKs. Free children’s apps are funded by the same advertising pipeline described in section 6 — the child’s attention and data are the product. Prefer the browser where a web version exists, and use your OS’s parental controls (iOS Screen Time, Android Family Link) to restrict permissions and prevent installation of unapproved apps.

• YouTube/Google paid $170 million in 2019 — the largest COPPA settlement in FTC history at the time — after the FTC and New York Attorney General found YouTube had collected persistent identifiers from viewers of child-directed channels to serve targeted advertising, while simultaneously marketing its popularity with children to corporate advertisers.[4]

• Epic Games (Fortnite) paid $520 million in December 2022 across two FTC settlements: $275 million in COPPA civil penalties for collecting children’s personal information without parental consent, and $245 million for dark-pattern charges that tricked players into unwanted purchases. The FTC also charged that Fortnite’s on-by-default voice and text chat matched children with strangers, leading to harassment and abuse.[5]

6. Free mobile games

Free-to-play games embed five to twenty advertising SDKs, each with its own data pipeline. Subway Surfers, Candy Crush, Words With Friends — these are not unusually bad actors, but they are the volume layer that makes the data broker market economically viable.

7. Apps in categories where the harm is asymmetric

Some data is more dangerous than other data. Categories where a single sale or leak can cost a job, a custody case, a healthcare decision, or someone’s safety is a very real concern. Take special care installing apps in this category.

• Period and fertility tracking: Flo settled with the FTC in 2021 over data shared with Facebook and Google. In August 2025 a federal jury found Meta liable for violating the California Invasion of Privacy Act by intercepting Flo users’ reproductive health data without consent. The combined settlements across all defendants totaled $59.5 million.[6]
• Mental health and therapy: BetterHelp settled with the FTC in 2023 for $7.8 million after sending mental health questionnaire responses to Facebook, Snapchat, Pinterest, and Criteo for advertising purposes.[7]
• Dating: Especially apps tied to sexual orientation, religion, or HIV status. Grindr was fined approximately €6.5 million (NOK 65 million) by Norway’s data protection authority for sharing user data — including GPS location and the fact that a user was on Grindr — with third parties for behavioral advertising without valid consent. The fine was upheld on appeal in 2023.[8]
• Religious practice: Muslim Pro sold prayer-time location data through X-Mode to US military contractors. A Vice/Motherboard investigation in 2020 found at least five additional Muslim prayer apps feeding data to the same broker.[9]
• Family and child location: Life360 sold precise location data on tens of millions of users, including minors, to approximately a dozen data brokers. A 2021 investigation by The Markup identified it as one of the largest sources of data for the location data industry.[10]

The risk in these categories is documented across multiple federal enforcement actions in the last five years.

8. “Smart” devices whose primary product is the app

Many devices require a companion app to function — doorbells, thermostats, fitness trackers, smart TVs, connected cars. The app inherits every permission the hardware needs (camera, microphone, location, network), and you often can’t use the device without it. That makes the app mandatory, and the data collection non-negotiable.

The better approach is to choose hardware based on its privacy model before you buy it:

• Don’t connect your smart TV to the internet. Use a separate streaming device you can control, or better yet, a computer.
• Avoid Ring, Nest, and other cloud-dependent camera systems. Choose local-storage alternatives that don’t require an account or a companion app.
• Avoid connected car features like OnStar. If the car has a data-sharing program, opt out explicitly — and verify it’s actually off.
• For fitness tracking, prefer devices that sync locally or use open protocols rather than requiring a proprietary app with a cloud account.

If a product can’t be set up or used without a proprietary app, that’s a signal that the ongoing data relationship is part of the product’s business model. Choose products where it isn’t.

9. Rewards program apps

Grocery loyalty cards. Pharmacy rewards. Fuel rewards. Insurance telematics opt-ins like Progressive Snapshot, State Farm Drive Safe & Save, Allstate Drivewise. Smart home devices tied to insurance premium discounts.

The discount is the price the company is willing to pay for your data. In the Arity case, apps like GasBuddy, Fuel Rewards, Life360, and Routely embedded SDKs that collected driving telematics used by Allstate to set premiums for 45 million people. A consolidated federal class action is proceeding to trial.[11]

10. Apps that exist to wrap a website

Apps for banks, airlines, retailers, restaurants, news outlets, and government services are wrappers around a website that already works. The app exists because the company prefers the data the app collects to the data the website allows.

Before installing any app, check whether the same service works in your mobile browser. If it does, use that instead.

11. Free apps with limited functionality

Flashlight apps. Free weather apps. Free VPNs. Free QR scanners.

Onavo, Facebook’s free VPN, was pulled from the App Store in 2018 and the Play Store in 2019 after it was revealed to be a data-collection front that used man-in-the-middle techniques to intercept encrypted traffic from competing apps.[12] Hola turned its users’ devices into exit nodes for paying customers through its Luminati subsidiary, which was used to launch a DDoS attack against 8chan.[13] Avast, a paid antivirus brand, ran its subsidiary Jumpshot for six years selling the browsing history of over 100 million devices to more than 100 companies before the FTC ordered it to stop in 2024 and fined the company $16.5 million.[14]

If the function is trivial and the company is unknown, assume the data is the product.

12. Apps that request permissions disproportionate to their function

A calculator that wants location. A drawing app that wants contacts.

Granting location to one app grants it to every third-party package embedded in that app. Read the permissions before installing, and revoke anything not strictly required by the function.

13. Apps from jurisdictions where you have no legal recourse

A US app under FTC oversight has at least the structural possibility of a settlement, a fine, and refunds. An app whose corporate parent and data processing both sit in a jurisdiction that does not recognize foreign privacy claims offers none of that.

Temu, Shein, Pinduoduo (suspended from Google Play in March 2023 after researchers found it exploiting an Android zero-day vulnerability, CVE-2023-20963, to escalate privileges, harvest data, and install backdoors on users’ devices),[15] TikTok (DOJ COPPA lawsuit), and pre-installed Xiaomi and Huawei utilities all fall in this category. So would any US app exporting data to a third country with no enforcement reciprocity.

14. Apps from companies you have never heard of

The named cases above involve large recognizable brands.

If the developer is unknown and the function is generic, the default assumption should be that the app is a data product.

References

1. Massive Breach Exposes Keyboard App that Collects Personal Data On Its 31 Million Users (The Hacker News, December 5, 2017). Kromtech Security Center discovered 577 GB of user records in an unsecured MongoDB database, including 373 million scraped contact records.

2. The Not-So-Silent Type: Vulnerabilities Across Keyboard Apps Reveal Keystrokes to Network Eavesdroppers (Citizen Lab, University of Toronto, April 23, 2024). Eight of nine vendors’ keyboard apps contained exploitable vulnerabilities in cloud-based keystroke transmission.

3. FCC Fines AT&T, Sprint, T-Mobile, and Verizon Nearly $200 Million for Illegally Sharing Access to Customers’ Location Data (FCC, April 29, 2024). The investigation began after a Missouri sheriff was found tracking individuals through a “location-finding service” operated by Securus. The carriers continued sharing data even after being notified. The Supreme Court is reviewing appeals from AT&T and Verizon as of 2026.

4. Google and YouTube Will Pay Record $170 Million for Alleged Violations of Children’s Privacy Law (FTC, September 4, 2019). YouTube collected persistent identifiers from child-directed channels and earned millions in targeted advertising revenue.

5. Fortnite Video Game Maker Epic Games to Pay More Than Half a Billion Dollars over FTC Allegations of Privacy Violations and Unwanted Charges (FTC, December 19, 2022). The $275 million COPPA penalty was the largest ever obtained for an FTC rule violation.

6. Flo Health, Inc. — FTC settlement (FTC, 2021), Federal jury finds Meta illegally farmed data from Flo period-tracker app (National Law Review, August 18, 2025), and Menstrual app privacy suit nears $56 million payday (Courthouse News, December 4, 2025). The August 2025 jury verdict against Meta was the first jury finding of liability against a major tech company for health data misuse.

7. FTC Gives Final Approval to Order Banning BetterHelp from Sharing Sensitive Health Data for Advertising, Requiring It to Pay $7.8 Million (FTC, July 2023). The FTC charged BetterHelp with sending email addresses, IP addresses, and health questionnaire responses to Facebook, Snapchat, Criteo, and Pinterest for ad targeting.

8. The NO DPA imposes fine against Grindr LLC (Datatilsynet/Norwegian Data Protection Authority, December 2021) and €5.8 million fine for Grindr confirmed (noyb, October 2, 2023). The Norwegian Privacy Appeals Board upheld the fine in full.

9. How the U.S. Military Buys Location Data from Ordinary Apps (Vice/Motherboard, November 2020) and More Muslim Apps Worked with X-Mode, Which Sold Data to Military Contractors (Vice/Motherboard, January 28, 2021). Senator Ron Wyden’s office confirmed X-Mode was selling location data to US military contractors.

10. The Markup investigation: Life360 selling location data (The Markup, December 6, 2021) and Life360 Sued for Selling Location Data (The Markup, June 1, 2023). Two former employees and two former data broker employees confirmed the practice. In 2020, location data sales generated $16 million for Life360, approximately 20% of the company’s revenue.

11. Federal Court Keeps Wiretap and FCRA Claims Alive in Allstate/Arity Tracking Class Action (National Law Review, March 11, 2026). In re Allstate & Arity Consumer Privacy Litigation, No. 25 CV 407 (N.D. Ill. Mar. 3, 2026). Plaintiffs allege Allstate paid app developers to embed Arity’s SDK into GasBuddy, Life360, Fuel Rewards, Routely, and Sirius XM to collect driving behavior data used to adjust insurance premiums.

12. Facebook will shut down its spyware VPN app Onavo (TechCrunch, February 21, 2019) and Facebook pays teens to install VPN that spies on them (TechCrunch, January 29, 2019). Apple pulled Onavo from the App Store in August 2018 for violating data-collection policies; Google Play removal and full shutdown followed in February 2019 after TechCrunch revealed Facebook was paying teens for root network access through a rebadged version.

13. Beware: Hola VPN turns your PC into an exit node and sells your traffic (gHacks, May 28, 2015) and ‘Free’ VPN Hola is LITERALLY flogging access to users’ devices (The Register, May 29, 2015). Hola’s subsidiary Luminati sold access to users’ idle bandwidth as a commercial proxy network; an 8chan operator documented the botnet being used for a DDoS attack.

14. FTC Order Will Ban Avast from Selling Browsing Data for Advertising Purposes, Require It to Pay $16.5 Million (FTC, February 22, 2024). The FTC found Avast collected browsing data through its antivirus software from 2014 to 2020 and sold it through subsidiary Jumpshot to over 100 third parties. The original joint investigation was published by Vice News and PCMag in January 2020 (TechCrunch summary).

15. Google Suspends Chinese E-Commerce App Pinduoduo Over Malware (Krebs on Security, March 22, 2023) and Google, CISA Warn of Android Flaw After Reports of Chinese App Zero-Day Exploitation (SecurityWeek, April 14, 2023). Lookout and Kaspersky independently confirmed the exploitation. CISA added CVE-2023-20963 to its Known Exploited Vulnerabilities catalog.