A friend of mine — sharp guy, works in finance — handed me his phone once to show me something. I noticed he had a flashlight app. Not the built-in one. A third-party flashlight app he'd downloaded years ago and never thought twice about. That app had access to his microphone, his contacts, and his precise location. For a flashlight.
That's not a freak case. That's Tuesday.
The Problem Isn't the App You're Afraid Of
Most people worry about shady apps from unknown developers. The uncomfortable truth is that some of the riskiest apps on your phone are ones you use every day — apps you trust, apps with millions of downloads, apps made by companies with marketing budgets bigger than most countries' GDP.
Take free VPN apps. The whole pitch is privacy. You're protecting yourself. But According to the Australian government's cybersecurity center (ACSC), many free VPN providers log your activity and sell that data to third parties — the exact thing you were trying to prevent. You handed your entire browsing history to a company you know nothing about, in exchange for a false sense of security.
That's not irony. That's the business model.
The Apps Sitting in Your Drawer
You know that category of apps you downloaded once, used for a weekend trip or a single project, and then forgot about? Those are quietly dangerous in a way that gets almost no attention.
Old apps stop getting security updates. A vulnerability discovered in 2022 might still be sitting, unpatched, in an app you haven't opened since 2021. But the app still has permissions. It can still run in the background. It's a door you left unlocked in a house you forgot you owned.
Go check your phone's app list right now. If you see apps you haven't opened in six months, ask yourself: does this thing still have access to my camera? My files? My location? For most people, the answer is yes.
The Surprising One Nobody Talks About
Here's where it gets counterintuitive: your keyboard app might be the most invasive app on your phone, and it's one people almost never consider.
Third-party keyboards — the ones with extra themes, emoji packs, or swipe-to-type features — sit between you and everything you type. Every password. Every bank account number you've ever entered. Every private message. The keyboard processes it all before it goes anywhere else.
According to the Electronic Frontier Foundation (EFF), some third-party keyboards transmit keystrokes back to their servers, often to improve autocorrect but with no real limit on what gets collected. If you're using a keyboard made by a company you've never researched, you are trusting that company with the most sensitive data stream on your device.
Switch back to your phone's built-in keyboard. It's not exciting, but excitement isn't what you want from the thing logging everything you type.
Social Media Apps: The Obvious One, With a Twist
Yes, you already know social media apps collect a lot of data. But most people think of this as an abstract privacy concern — some algorithm learns you like hiking, you get hiking ads, fine, whatever.
The real risk is more concrete. Social media apps frequently request permissions they don't functionally need — access to your contacts, microphone, camera, and precise GPS location. According to Mozilla Foundation's Privacy Not Included guide, many apps share or sell this data with dozens of third-party brokers, and once it leaves the app, you have no visibility into where it goes.
That data can end up in background check sites, targeted phishing campaigns, or data broker databases that anyone can pay to access. You're not just feeding an algorithm. You're populating a profile that exists long after you delete the app.
What You Can Actually Do
None of this requires becoming a technical expert. Here's what moves the needle:
Start with a permission audit. On iPhone, go to Settings → Privacy & Security. On Android, go to Settings → Privacy → Permission Manager. Look at which apps have access to your microphone, camera, and location. Ask yourself if that access makes any sense. A recipe app with microphone access does not make sense.
Delete what you don't use. Not archive. Delete. The permissions go with it.
For VPNs, pay for one or use none. The business model of a free VPN is not charity. Mullvad and ProtonVPN are two that have passed independent audits. They cost a few dollars a month. That's the actual product.
Replace your third-party keyboard. This one simple switch closes a significant data exposure most people have never thought about.
Check app update history before downloading anything new. If an app hasn't been updated in over a year, the developer has likely abandoned it. An abandoned app is an unpatched app.
The Part Most Security Articles Skip
Here's what I want to be straight with you about: even if you do everything above, you're not fully protected.
The data that was already collected — before you read this, before you thought to check — is already out there. You can limit future exposure, but there's no retroactive delete button for data that's already been sold, shared, or breached. The best security writing often ends with a clean call to action, as if doing the right thing today erases yesterday. It doesn't.
What it does do is make tomorrow better. That's worth doing, even without the tidy ending.
Sources:
- Australian Cyber Security Centre (ACSC)
- Mozilla Foundation – Privacy Not Included