LAS VEGAS -- Many robocall-blocking apps for smartphones send your phone number and other identifying information to advertisers, and almost all connect to either Facebook or Google, security researcher Dan Hastings said in a presentation this past weekend at the DEF CON 27 hacking conference here.
Hastings looked at about 10 robocall blockers in the iOS App Store and analyzed which online services they communicated with. He also read their privacy policies and found that almost all of the apps didn't meet Apple's own privacy guidelines, which every app is supposed to follow.
"Robocall-blocking apps have access to your phone number, your contacts, even your text messages and voicemails," Hastings said. "Is this information leaked to third parties, such as data brokers or analytics companies?"
"I didn't observe that Truecaller was actually doing this," he said. "But it's definitely against Apple's privacy guidelines."
Such violations of Apple's privacy guidelines are what spurred Apple to temporarily shut down some Facebook and Google apps this past spring after both companies were caught using features meant for in-house use in market-research apps in the App Store.
The other iOS apps Hastings looked at -- Call Blocker, Call Protect, Mr. Number, Nomorobo, Numbo, RoboKiller, SpamKiller and YouMail -- had less serious privacy violations, but all except Mr. Number and Call Protect connected to Facebook upon launching, as did Hiya, TrapCall and Truecaller. (Call Protect is not to be confused with AT&T's Call Protect.)
Hastings said he contacted Apple about the privacy-guidelines violations of the robocall-blocking apps, but the only response he had received by the time of his presentation Sunday (Aug. 11) was that the issue would be passed along to the App Store review team.
Tom's Guide reached out to Apple for comment, and we will update this story if Apple responds.
"Apple clearly isn't monitoring apps' privacy policies for compliance with their guidelines," Hastings said. "Apps need to get better about abiding by privacy polcies, and users deserve to know how apps handle their data."
Asked by an audience member if he'd found any robocall-blocking apps that "weren't terrible," Hastings punted.
"All of them send data to analytics companies," he said. "They don't need to -- all the blocking technology is within the app. There were a couple that were incredibly simple, so I liked those the best. But I stopped using all robocall-blocking apps, and now I get a ton of robocalls."