Robocall-blocking apps promise to rid your life of spoofed and spam phone calls. But are they as trustworthy as they claim to be?
One security researcher said many of these apps can violate your privacy as soon as they are opened.Dan Hastings, a senior security consultant at cybersecurity firm NCC Group, analyzed some of the most popular robocall-blocking apps — including TrapCall, Truecaller and Hiya — and found egregious privacy violations.
Robocalls are getting worse, with some getting tens or dozens of calls a day. These automated calls demand you “pay the IRS” a fine you don’t owe or pretend to be tech support. They often try to trick you into picking up the phone by spoofing their number to look like a local caller. But as much as the cell networks are trying to cut down on spam, many are turning to third-party apps to filter their incoming calls.
Many of the other apps aren’t much better. Several other apps that Hastings tested immediately sent some data to Facebook as soon as the app loaded.
But he reserved some criticism for Apple, noting that app privacy policies “don’t appear to be monitored” as he discovered with Truecaller and Hiya.
“Privacy policies are great, but apps need to get better about abiding by them,” said Hastings.
“If most people took the time to read and try to understand privacy policies for all the apps they use (and are able to understand them!), they might be surprised to see how much these apps collect,” he said. “Until that day, end-users will have to rely on security researchers performing manual deep dives into how apps handle their private information in practice.”
Truecaller spokesperson Manan Shah confirmed it was sending data when the app was opened but later submitted a fix, which is now live. “We comply to Apple guidelines,” said the spokesperson. Hiya conceded that it sends some device data to third-party services when opening the app but claims it doesn’t collect personal information. “We are currently working on strengthening our privacy even further by re-submitting our apps so that even this basic device information is not shared prior to explicit consent by the user,” the statement said.
A spokesperson for TrapCall did not comment when reached prior to publication.
Updated with statement from Truecaller and Hiya.