It's broadly safe to download a mainstream app from the iOS App Store or Android's Google Play. But thanks to increasingly invasive tracking by Facebook and others, Apple and Google have both recently introduced transparency features into iOS and Android that give you more insight into how often apps access data and sensors, from your camera and microphone to your location and contacts. If you're an iOS user, the App Privacy Report tool likely hit your phone a few weeks ago. Here's how to get the most out of it.
The first step to using the feature, which launched as part of iOS 15.2, is simply to turn it on in Settings > Privacy > App Privacy Report. From then on, as you use your phone the tool will record details about what your apps are up to for a rolling seven-day period. All the app activity information is stored locally on your phone, and if you turn App Privacy Report off, the data will delete from your device.
Your report is broken down into four sections: Data & Sensor Access, App Network Activity, Website Network Activity, and Most Contacted Domains.
The data and sensor breakdown at the top shows how many times your apps access sensitive data and sensors—like your camera, microphone, and location—and when they used that access. It's understandable that your map or weather app has been accessing your location, but if you're surprised to find a music app checking where you are, you might opt to revoke permission. Similarly, a calculator probably shouldn't be accessing your microphone. The report also helpfully shows when the app accessed the data or sensor, so you can connect the activity to a legitimate function while you were using the app. A game that accesses your location while you're sleeping, though, could be up to something.
The second section shows network activity, meaning which web domains your apps have reached out to in the past seven days. The report makes a distinction between domains the app contacted “directly” and those “contacted by other content.” The former means domains an app contacts to function, like your weather app pulling down the latest temperature data. The latter, though, is what happens when you click on a news article through a social network, say, or when an ad module auto-plays a video.
The idea is to give you extra insight into when and why your apps are interacting with these domains. The problem, though, is that even with that distinction, most people wouldn't recognize whether the domains and IP addresses that show up on this list are trustworthy in the first place. When the Facebook app contacts “web.facebook.com,” you know you're probably OK, but you might not recognize “bidder.criteo.com” or “video.primis.tech” on the same list.
“The data I’m seeing so far is all just what website domains apps are communicating with, which is of somewhat limited value for the average consumer who wouldn’t know what domains to be concerned about,” says Thomas Reed, director of Mac and mobile platforms at the security firm Malwarebytes. “I personally will be interested to see if any of my apps are communicating with sketchy domains.”
The content delivery and digital advertising ecosystems are a dense maze of platforms that silently facilitate a lot of app services behind the scenes. That anonymity to the end user is part of the point; you probably don't know which vendors and service providers your favorite restaurant uses either. But this means that it could be challenging to vet every domain you see listed in the App Privacy Report. You can use your instincts, though, like if you see an app you thought was made in the US connecting to lots of foreign domains.
The next section lists “Website Network Activity,” which does the same thing but for sites loaded through in-app browsers, or mobile browsers like Safari and Chrome. For example, if you visit “wired.com” the report will show you which domains it contacted, like “fastly.net” and “googlesyndication.com.” You also get a breakdown of which apps loaded these sites. You might expect to see "wired.com" in your Safari browsing history, for example, but probably not in your period tracker, unless you remember opening an article link through your cycle tracker's in-app browser.
The last section tracks the most contacted domains across all your apps and the websites they loaded.
“Guess what connects to lots of domains? Social, shopping, search—pretty predictable," says Maximilian Zinkus, a cryptographer at Johns Hopkins University. “But I guess if you see anything aside from those types of domains, it’s potentially interesting. Similarly, the most contacted domains for me, and probably many, is a list containing content delivery networks and Google fonts and analytics. Again pretty predictable, so if you see a weird domain on that list, it could be a signal of a spyware app or rogue browser extension.”
Zinkus notes that the report includes a “share” function so you can export the data for more analysis if you so choose. He emphasizes that for the average user, the data and sensor breakdown at the top of the report is probably the easiest and most important to keep an eye on.
“If an app is unexpectedly tracking location, microphone, or other sensors, that’s a huge red flag,” he says. “I would recommend uninstalling and even filing a report with Apple through the App Store if an app really seems to have unexplained access.”
If you're worried about the security and privacy of apps in general and want to reduce your exposure, the most foolproof option is simply to delete as many as possible.
“My personal report is pretty boring,” Zinkus says, “as I don’t install a ton of apps.”
- 📩 The latest on tech, science, and more: Get our newsletters!
- The metaverse-crashing life of Kai Lenny
- Indie city-building games reckon with climate change
- The worst hacks of 2021, from ransomare to data breaches
- Here's what working in VR is actually like
- How do you practice responsible astrology?
- 👁️ Explore AI like never before with our new database
- ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers
