This photo illustration shows the social media platform X (former Twitter) app on a smartphone. — © AFP/File Allison Joyce
Conventional spyware refers to malicious code that hijacks an app to take data from the user. Yet many conventional apps are taking our data without us (often) fully realising. A review of the riskier apps to use when it comes to protecting personal data finds Instagram and Facebook ranking first, collecting the most sensitive information like physical address, device, and user identity.
The study was conducted by IT Asset Management Group (ITAMG) and it analysed the privacy policies of over 5,000 apps from the Apple App Store. These apps were selected from a broader list of the top 100 apps in each category, with duplicates and those missing data removed.
To determine which apps are the most invasive, analysts created an index out of 100 based on 46 indicators, including 35 types of data, six purposes for data collection, and five different types of user relationships.
The level of privacy intrusion was measured by whether each data type is tracked and linked, tracked, linked, not linked or tracked, and not collected at all, with “tracked and linked” being the most intrusive.
Top 10 most invasive apps
| Rank | App Name | Total No. Data Types Collected | No. Data Types Linked to User | No. Data Types Linked & Tracked | Index Score (/100) |
| = 1 | 32 | 25 | 7 | 61.47 | |
| = 1 | 32 | 25 | 7 | 61.47 | |
| 3 | Grab: Taxi Ride, Food Delivery | 27 | 8 | 15 | 55.57 |
| = 4 | Threads | 32 | 32 | 0 | 54.53 |
| = 4 | Meta Business Suite | 32 | 32 | 0 | 54.53 |
| = 4 | Messenger | 32 | 32 | 0 | 54.53 |
| 7 | Nordstrom Rack: Shop Deals | 22 | 4 | 18 | 53.62 |
| 8 | Nordstrom | 22 | 5 | 17 | 52.54 |
| 9 | 29 | 22 | 6 | 50.06 | |
| 10 | AE + Aerie | 21 | 3 | 16 | 50.01 |
As discussed above, the Meta pair of Instagram and Facebook come in first place with an index score of 61.47 out of 100. Both apps are among the most widely used worldwide and collect 32 out of 35 data types, 25 of which are linked to the user, while seven are linked and tracked to the user. These apps also rank highly because of how invasive they are in collecting sensitive info like physical addresses, devices, and user IDs. This is in stark contrast with other popular entertainment apps such as YouTube and TikTok, which rank 27th and 76th.
Coming in third is Grab: Taxi Ride, Food Delivery, with a 55.57 out of 100 score. This app collects 27 data types, eight of which are linked to the user, and 15 are linked and tracked. As a ridehailing and food delivery app, it collects sensitive information such as payment information and other financial data, as well as precise location and purchase history.
In fourth place, a threeway tie sees Threads, Meta Business Suite, and Messenger, each scoring 54.53 out of 100. These apps collect 32 data types, and while all are linked to the user, none are tracked.
Further down the list, Nordstrom Rack: Shop Deals ranks seventh with a score of 53.62, collecting 22 data types, four of which are linked to the user, and 18 are both linked and tracked.
In eighth place, Nordstrom follows closely with a score of 52.54. It collects 22 data types, five linked to the user and 17 linked and tracked. Pinterest is in ninth place with an index score of 50.06. This app collects 29 data types, 22 of which are linked to the user and six of which are linked and tracked.
Rounding out the top ten is AE + Aerie, short for American Eagle Outfitters, the apparel brand, scoring 50.01 out of 100. This app collects 21 data types, three of which are linked to the user and 16 of which are linked and tracked.
Of all the apps and categories studied, PhotoVideo Apps are the most invasive. Although only 23 were found to be over the minimum review threshold and therefore eligible for the study, the category’s overall score was 38.54 out of 100. These types of applications are followed by Social Networking Apps and Food and Drink Apps.
