On by default: your apps are sharing more than you think

Android figures
(Image credit: Jerry Hildenbrand / Android Central)

Recently a security researcher did a very creepy but insightful thing — dig through data from the AllTrails app to track a former White House official. The researcher could track visits to the White House, find the user's home, and even track official activity throughout Washington, DC through publically shared data from a hiking app.

This didn't happen because the particular user was a government official or was notable in any way. It happened because the app was set to share user data activity with the public by default. It's also not the first time it's happened — the military had to review the use of these sorts of apps after Strava was caught doing the same exact thing. So many apps do it. Even Tim Horton's.

I can't read minds, but I'm pretty sure the current political climate means no public official would want to share where they are with everyone, let alone visits to the Pentagon or NSA offices. This was just a case where another consumer had no idea an app was doing a lot more than he or she thought it was doing because Apple or Google let them do it.

The Strava app on the Galaxy S22 Plus and Galaxy Watch 5 Pro, both sitting on top of a pair of running shoes

(Image credit: Michael Hicks / Android Central)

The rise of mobile technology has revolutionized the way we interact with the world. Mobile devices, such as smartphones and tablets, have become an essential part of our lives, enabling us to communicate, work, and play on the go. However, with the proliferation of mobile apps, concerns about privacy and data protection have become increasingly prominent. Many mobile apps require access to our personal information, including our location, contacts, and online behavior, raising questions about the potential misuse of this information.

One of the most significant concerns surrounding mobile apps is their default privacy and location settings. Apple and Google have done a lot of work to make sure things like access to contacts or location aren't happening without user consent, but most apps are designed to collect user data by default knowing you'll grant access to just about anything. This practice has become so widespread that many people have grown accustomed to the idea of giving apps access to their personal data without giving it much thought.

Strava run tracking

(Image credit: Michael Hicks)

This raises serious concerns about privacy and data protection. By allowing apps to access and then share our personal data, we are effectively giving up control over our own information. This has the potential for our data to be misused, either by app developers themselves or by third parties who may gain access to it. But it can get worse (as seen above) when app settings are all set to on without asking.

To address these concerns, any setting that has the potential to share your data with anyone or any other service needs to be set to off by default, giving users the choice of whether or not to enable them. This approach would put us in control of our own data, allowing us to decide what information we want to share with app developers and the world, and what information we want to keep private.

Android 13's granular media permissions

(Image credit: Google)

One of the key benefits of this approach is that it would increase transparency around data collection. By making settings opt-in rather than opt-out, app developers would be forced to provide more information about the extent of their data collection and how that data will be used. This would help to promote greater trust between app developers and users, as users would be able to make informed decisions about whether or not to trust an app with their personal information.

Another benefit is that it would help to reduce the potential for misuse of user data. By giving users greater control over what happens once data is collected, app developers would be less likely to engage in practices that may be perceived as intrusive or unethical. For example, app developers may be less likely to provide user data to third parties if they know that users are able to opt out of data collection or sharing in response. This would help to ensure that everything is used only for legitimate purposes and in ways that are consistent with user expectations.

Amazon Sidewalk opt-in screen

(Image credit: Nicholas Sutrich / Android Central)

The main benefit, of course, is for us. By giving us greater control over our own data, we would be able to protect our privacy more effectively. By allowing us to choose which data to share and which data to keep private, we would be able to manage our own online privacy more effectively. This is something everyone should want.

Some critics of this approach may argue that it would be too complicated for users to enable privacy and location settings themselves. This argument does not hold up to scrutiny. Most users are already familiar with the concept of privacy and location settings and are able to enable them with minimal effort. We already enable some permissions settings as part of an app's onboarding process, so the process of enabling other settings would be no more complicated than it is currently. The developers only have to ask.

Walk activity showing steps and time since start on the Garmin vívoactive Trend

(Image credit: Michael Hicks / Android Central)

Some developers would see no problem with this. We know because some apps are already built this way and you need to perform a quick review of the settings when you first start using it. Other developers aren't going to get on board and settings will just be turned on, hoping you never take the time to look because there's money to be made.

This is why Apple and Google are going to have to force them to do it. I hate the idea of giving Apple and Google more control over, well, anything. But they are the only companies that can effectively force what's right for consumers, and asking us before broadcasting where we go to the entire planet is one of those things.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.