App Permissions You're Leaking

Open your phone's privacy settings right now. Go through the list of permissions one by one. You'll find apps that have access to data they couldn't possibly need:

• A flashlight app with location access;
• A QR-scanner with your contacts;
• A photo editor with microphone permission;
• A free game with access to all your photos;
• A weather app with access to your camera.

This isn't a hypothetical. It's the actual state of most phones. The apps asked once when you installed them, you tapped "Allow" because it was the easy button, and they've been quietly harvesting data ever since.

This is the most overlooked privacy leak in 2026. It's also the easiest to fix.

What's Actually At Stake

Every permission you grant has real-world implications:

Location. Reveals where you live (the spot your phone sits 8+ hours a night), where you work (the spot it sits 8+ hours a day), where your kid goes to school, where you shop, where you worship, every doctor's appointment, every gym visit, every affair, every protest. Long-term location history is devastating to privacy — it reveals every aspect of your life, including ones you'd never share verbally.

Contacts. Reveals your entire social network — every person you know, often with phone numbers, emails, relationships, and notes. Sold to data brokers, this powers targeted phishing campaigns against your network.

Photos. Reveals your face, your family's faces, your home interior, documents you photographed (IDs, credit cards, financial statements), and metadata showing exactly when and where each photo was taken.

Microphone. When granted to an app, can be triggered at any time the app is in the background. Apps have been caught recording snippets to identify nearby conversations, ads playing on TV, and other "ambient" signals.

Camera. Same risks as microphone, plus the ability to capture your face for biometric harvesting.

Health data. Sleep, heart rate, menstrual cycle, glucose, location of runs. Sold to insurance companies and pharma marketers in some jurisdictions.

Who Gets This Data

When you grant permissions to a "free" app, your data flows through a chain:

• The app itself uses it for whatever feature you wanted;
• Embedded SDKs (usually 5-15 per app) — third-party libraries for ads, analytics, push notifications, crash reporting — get copies. The app developer often doesn't even know what they collect;
• Data brokers aggregate the data across millions of users and apps, building detailed profiles;
• Advertisers buy access for ad targeting;
• Insurance companies buy access to set rates;
• Marketing firms buy access for campaigns;
• Sometimes governments and law enforcement buy access — particularly location data, which has been used in legal cases for years;
• Scammers buy access for targeted phishing — knowing your daily schedule and contacts makes scams more convincing.

The market for personal data is enormous — about $300 billion globally in 2025 — and your free apps are the supply chain.

The Worst Case — Outright Malicious Apps

Beyond data harvesting, some apps are explicitly malicious. A 2026 example: SparkCat, discovered by Kaspersky in early 2026, made it into both Google Play and the Apple App Store. It scanned victims' photo libraries using OCR — including Apple's own Vision framework — to find crypto wallet seed phrases that users had photographed for backup. The seed phrases were uploaded to attacker servers, the wallets drained shortly after.

The app looked like a normal utility. Users had granted "All Photos" access without thinking. The damage was done before anyone noticed.

This is why the principle isn't "trust the app stores" — it's never grant a permission that isn't necessary for the feature you actually want.

The 10-Minute Permission Audit

Set aside 10 minutes once. Go through these categories and revoke what doesn't make sense.

On iOS

Settings → Privacy & Security.

Tap each category in turn. For each, review the list of apps:

• Location Services — likely the biggest cleanup. For each app: ask "does it need to know where I am?"

  • Maps app: yes, while using;
  • Ride share: yes, while using;
  • Weather: yes, but only "While Using" — not "Always";
  • Flashlight, game, calculator, alarm: no — revoke;
  • Social media (Instagram, TikTok, etc.): usually no — revoke or set to "Ask";
  • Anything you don't recognize: revoke.

• Photos — for each app, switch from "All Photos" to "Limited Photos" wherever possible. Limited Photos means the app sees only the specific photos you pick when you use it. Most apps work fine on Limited;

• Microphone, Camera — revoke for any app that doesn't obviously need it (voice memos, video calls, photo apps — yes; everything else — probably no);

• Contacts — revoke aggressively. The only apps that genuinely need your full contact list are messaging apps (WhatsApp, Signal, iMessage are built-in) and email. Almost everything else just wanted it for "find friends" features that are also spam-vector tools;

• Tracking — go to Settings → Privacy & Security → Tracking. Turn off "Allow Apps to Request to Track". This blocks Apple's ad-tracking identifier (IDFA) at the system level.

On Android

Settings → Privacy → Permission manager.

Same approach. Tap each permission category. For each app in the list:

• Location: change "Allow all the time" → "Allow only while using app";
• Camera, Microphone: revoke for non-obvious apps;
• Contacts, SMS, Call logs: revoke aggressively;
• Files and media: review;
• Body sensors, Physical activity, Nearby devices: very few apps actually need these — revoke broadly.

Also visit Settings → Privacy → Ads → Delete advertising ID. This stops the ad-targeting identifier Android uses.

On Android

Settings → Privacy → Permission manager.

Same approach. Tap each permission category. For each app in the list:

• Location: change "Allow all the time" → "Allow only while using app";
• Camera, Microphone: revoke for non-obvious apps;
• Contacts, SMS, Call logs: revoke aggressively;
• Files and media: review;
• Body sensors, Physical activity, Nearby devices: very few apps actually need these — revoke broadly.

Also visit Settings → Privacy → Ads → Delete advertising ID. This stops the ad-targeting identifier Android uses.

The Three Categories That Matter Most

If you only do three things, do these:

1. Location → "While Using" not "Always".

The "Always" permission is the gold for data brokers — it builds a complete map of your life. "While Using" gives the app location only when you've explicitly opened it. Most apps work fine on "While Using". Switch them all.

2. Photos → "Limited Photos" / "Selected Photos".

This is the iOS feature SparkCat exploited — apps with "All Photos" access can scan your entire library. Limited Photos means apps only see what you specifically choose for them. Android's equivalent is the "Photo Picker" introduced in Android 13.

3. Microphone → revoke unless obvious.

If an app has microphone access and isn't a call/voice/recording app, revoke it. The most common surprise here is keyboards (some require it for "voice input"), browsers (for site permissions), and social media (for video features). Revoke; you can re-grant when you actually need it.

Recheck Every 6 Months

You'll install new apps over time. Each one re-asks for permissions, and you'll tap "Allow" while focused on the new app. Schedule a recurring 10-minute review every six months — calendar reminder, recurring event, whatever.

Apple makes this slightly easier with Privacy Reports (Settings → Privacy & Security → App Privacy Report) that show what data each app has accessed in the last 7 days. Android offers similar information in Privacy Dashboard (Settings → Privacy → Privacy Dashboard).

Check these monthly. Anything weird? Revoke.