#privacy: Robocall-blocking apps may be violating user privacy

Numerous privacy violations have been identified with some of the most popular robocall-blocking apps. 

Dan Hastings, a senior security consultant at the cybersecurity firm NCC Group, analysed some of the most popular robocall-blocking apps, including Hiya, TrapCall and Truecaller. 

It was found that many of the apps have been sharing user and/or device data to third-party analytics companies, without gaining explicit consent. 

Hastings discovered that TrapCall had been sending users’ phone numbers to a third-party analytics firm, without explicitly informing users in the app or in the privacy policy. 

TrapCall has since changed their privacy policy to inform users that their data is being shared with third parties, after Hastings had contacted Apple. 

In a statement:

“TrapCall only shares phone numbers with service providers who power our internal analytics and app messaging platforms. Additionally, service providers are prohibited from using TrapCall data for their own or any other purpose.”

Another app, Hiya, was found uploading device data, including device type, software version, model and more, before users agree to the privacy policy. Essentially data is sent to third party services upon opening the app, however phone numbers and other personally identifiable information (PII) has never been included. 

With Android devices, Hiya requests access for location data, which has no relation with blocking phone calls. The company have stated that the reason why location data is requested is so people can find businesses nearby more easily. 

Hiya have addressed the concerns and will be re-submitting its apps to the iOS and Play stores. 

In regards to the app, Truecaller, Hastings discovered that the app had been sending data about user devices to social media platforms before they agreed to the privacy policy. Truecaller have responded to the concerns stating that their privacy policy will be revised. 

The company said in a statement, “note that our Privacy Policy is common across all mobile platforms and that’s why the confusion exists. We’re looking at updating the privacy policy to make it clearer what we’re doing on each platform.”

“Privacy policies are great, but apps need to get better about abiding by them,” said Hastings.

“If most people took the time to read and try to understand privacy policies for all the apps they use (and are able to understand them!), they might be surprised to see how much these apps collect,” he said. “Until that day, end-users will have to rely on security researchers performing manual deep dives into how apps handle their private information in practice.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/