How Caller ID Apps Like Truecaller Secretly Violate Your Privacy

By:
Apps Like TrueCaller

Near the end of the last century, over two and a half decades ago, privacy implications of Caller ID devices were in the midst of a heated debate.

The arguments in favor of the device included mainly reducing obscene calls and Bart Simpson style crank calls.

Arguments against the device claimed that people would be discouraged to place calls which are usually performed anonymously, such as reporting crimes to the police, calling crisis center hotlines, etc.

Looking back today, we know that everybody uses Caller ID with our advanced smartphones and people don't think twice about contacting anybody because of that.

Modern smartphones display the number of almost all incoming calls, yet without putting a name to that number it's meaningless to us and we usually don't make an effort to look it up.

We either take the call, or we don't.

Apps Like TrueCaller

Apps Like TrueCaller

The playing field is leveled: everybody knows which number the call is from unless it's a blocked number, in which case some choose to simply ignore the call.

Apps like Truecaller, Hiya, and CallApp are a solution to a problem similar to the one we had in the last century; only it's not obscene calls and crank calls we're trying to avoid but unsolicited telemarketing, phone spam, robocalls, and various scams like the infamous tech-support scam.

Some of these apps even allow you too see how other people named you in their contacts.

So what's the problem?

To understand that, let's take a look at how apps like Truecaller work.

Throughout this article, I demonstrate my points mainly using Truecaller as an example, but to my knowledge other caller ID apps aren't any more privacy-oriented than this one.

How Apps Like Truecaller Work

Caller ID apps appeal to the user because they use crowd-wisdom in order to warn its users about incoming spam calls.

When enough users report a number the app notifies users when an incoming call is spam.

But that's not all:

Your phone contains a lot of information about you and the people in your address book.

If you're a very organized person, you would have not only the name and phone number of your contacts, but their email, photo, address, additional phone numbers, and any contact information you'd like to keep for your contact.

When you install an app like Truecaller, you grant it permissions to access and read this information.

Based on its Privacy Policy, Truecaller collects and uses the phone number, name, Google ID's, and email addresses from all your contacts:

Please note that no other contact information other than the phone numbers and thereto attached names, Google ID’s and email addresses will be collected and used from Your address book. Other numbers or information that may be contained in Your address book will be filtered away by our safety algorithms and will therefore not be collected by Truecaller.

The caller ID app of your choice will use its permissions to get all the information it can from your address book and add it to their database, cross-referencing similar information taken from other users and other third-party sources.

So, if you have my number in your address book and you install an app like Truecaller, you share all my associated contact information from your device with that app without my knowledge.

Your Privacy is Out of Your Control

The problem that arises is this:

You're not the person in control of your own privacy when your friends (or any of contacts) use apps like Truecaller.

You obviously can't control the apps your friends install so you lose control of the personal information you entrusted to your contacts.

As a matter of fact, the only way to regain control is to avoid giving out your contact information to anybody and change your phone number, and that's not realistic.

Facebook is far from being the bastion of online privacy, but it still allows you to receive a notification when a friend tags you in a photo and the option to remove it.

Why don't we receive a notification when our number is added to a database similar to Truecaller?

Because the Terms of Service state that:

By accepting the Truecaller Privacy Policy and/or using the Services You consent to the collection, use, sharing and processing of personal information as described herein. If You provide us with personal information about someone else, You confirm that they are aware that You have provided their information and that they consent to our use of their information according to our Privacy Policy.

Apparently, I can consent to Truecaller's Privacy Policy in the name of my contacts and Truecaller trusts me to get their consent in advance.

This is absurd!

I can only hope that at some point there will be legislation pertaining to this matter, or at least a few juicy scandals that will encourage people to pay attention to the unprecedented invasion of privacy which occurs in the name of marginal convenience.

Required Permissions and Collected Data

You're even more exposed when you actually install the app on your device.

As an example, let's take a look at Truecaller itself, which is by far the most popular Caller ID app with its 4.5 million downloads to-date.

Based on Truecaller's Privacy Policy, this is the information collected about you:

This information may include the following: geo-location, Your IP address, device ID or unique identifier, device manufacturer and type, device and hardware settings, ID for advertising, ad data, operating system, operator, IMSI, connection information, screen resolution, usage statistics, device log and event information, incoming and outgoing calls and messages, times and date of calls, duration of calls, version of the Truecaller Apps You use and other information based on Your interaction with our Services. Truecaller may use the information collected from, and in connection with, all of our services to provide, maintain, and improve them, to develop new ones, and to protect Truecaller and its users. Truecaller also uses this information to provide you with tailored content, such as search results and advertisements more relevant to You.

You tell them everything about yourself, from your identity and location, to details about your device, IP address, and even whether you're on a call at any given moment!

When you install it on your device, you grant it all the permissions it demands, including access to the information about your contacts.

Here's the complete current list of permissions Truecaller for Android requires if you wish to install it.

Version 7.86 can access:

In-app purchases

Identity

  • find accounts on the device
  • add or remove accounts
  • read your own contact card

Calendar

  • read calendar events plus confidential information

Contacts

  • find accounts on the device
  • read your contacts
  • modify your contacts

Location

  • approximate location (network-based)
  • precise location (GPS and network-based)

SMS

  • read your text messages (SMS or MMS)
  • receive text messages (MMS)
  • receive text messages (SMS)
  • send SMS messages
  • edit your text messages (SMS or MMS)

Phone

  • directly call phone numbers
  • directly call any phone numbers
  • modify phone state
  • reroute outgoing calls
  • read call log
  • read phone status and identity
  • write call log
  • add voicemail

Photos/Media/Files

  • read the contents of your USB storage
  • modify or delete the contents of your USB storage

Storage

  • read the contents of your USB storage
  • modify or delete the contents of your USB storage

Microphone

  • record audio

Wi-Fi connection information

  • view Wi-Fi connections

Device ID & call information

  • read phone status and identity

Other

  • use any media decoder for playback
  • bind to a notification listener service
  • download files without notification
  • MMS Wakeup
  • read voicemail
  • write voicemails
  • receive data from Internet
  • view network connections
  • create accounts and set passwords
  • change network connectivity
  • disable your screen lock
  • full network access
  • change your audio settings
  • control Near Field Communication
  • run at startup
  • draw over other apps
  • use accounts on the device
  • control vibration
  • prevent device from sleeping
  • modify system settings
  • install shortcuts
  • uninstall shortcuts

That's a lot of permissions to avoid the task of hanging up on telemarketing calls.

The benefits of this type of apps are marginal relative to the depth of access you provide them.

In fact, there are great antivirus software products like Kaspersky and Trend Micro which allow you to block spam calls and filter text messages.

ANDROID

Kaspersky Internet Security for Android

 

I would trust a company whose business is security more than a company whose business is my data.

Caller ID Apps Similar to Truecaller

You might say you trust Truecaller not to do anything immoral.

You might say that Truecaller is a big company with a reputation to maintain.

But while Truecaller is the leading app, it's far from being the only one.

Some of the more popular apps like Truecaller are CallApp, Hiya, and WhosCall all of which had over 100,000 downloads from the Google Play Store.

In fact, there are 244 apps like this in the Google Play Store, but most of them are not popular enough to be mentioned.

245 Apps Like TrueCaller

TrueCaller and 244 Similar Apps

I'm certain that with a market that's so saturated with similar services, there are companies that take advantage of the user's innocence and engage in undesirable activities like selling data.

There's big money in data.

History of Hacks and Security Breaches

And because there's big money in data, there's always a security risk whenever customer data is involved.

You might remember the news of the biggest data breaches such as the 2013 Yahoo breach resulting in one billion stolen records which only came to light in 2016.

While this one made the news, many other breaches don't.

Truecaller learned the importance of closing vulnerable access points when its database was hacked by exploiting security vulnerabilities in its Wordpress-hosted blog.

The company claimed that only encrypted records were obtained by the hackers and the keys remained secure, and the entry about this matter was since removed from their blog.

Another security concern came to light when the CheetahMobile researches exposed a vulnerability in the Truecaller app in 2016. 

This vulnerability could've been exploited in order to modify the settings of a user's device by knowing only the IMEI (unique identifier of a physical mobile device) of a device.

Mistakes happen, but this is also the result of requiring such deep permissions upon installation of the app.

Any settings the app could modify for one feature or another, a hacker could modify as well.

If you scroll back up to the list of permissions, you'll find that the app can control the accounts on your device, place calls, send text messages, and much more.

Imagine what could have happened if this vulnerability had been discovered by the wrong person.

How to Remove Your Phone Number from the Truecaller Database

Luckily, there's a simple solution, but you wouldn't know about it if you didn't search for it.

Truecaller allows you to remove your information from their database by simply typing in your phone number.

Opt-Out of the TrueCaller Database

Remove Yourself from the TrueCaller Database

The fact that Truecaller uses the non-word "unlist" rather than "opt-out" or "remove" only demonstrates how much this company wants you to find their opt-out page.

To clarify - it doesn't.

Furthermore, it doesn't have an easily accessible link to this page from their site. You have to search for answers in their support section, and if you're perceptive enough you might find the answer that contains this link.

Similar apps make matters even worse. For example, Hiya forces you to sign up before you can submit a removal request.

This places another hurdle for users looking to control their private information.

In my mind, companies that make it difficult to opt out of any service are not companies worthy of our business, even if we're not paying them anything.

It doesn't matter which means they use to make it difficult, it's the intention that counts, and the only intention I see here is an attempt at being perceived as a transparent company while actually making it more difficult for users to "unlist".

Conclusions

In this article we learned that:

  • Truecaller doesn't notify you when you're added to their database, even though they have your phone number and they could easily let you know via SMS. They could include a link to opt out as well.
  • In order to opt out, you need to search for an unpredictable name of the page or dig through its FAQ section. However, you would first need to find out that you were added.
  • Other, less popular apps like Truecaller can be even worse in terms of how easy it is to remove yourself from their database.
  • The plethora of permissions you grant, along with the incredible amount of data held by Truecaller, are a gateway for security risks.
  • There's antivirus software that offers similar features but it can be trusted with your data.

Unlike the Caller ID device which was debated in the early 90s, Truecaller and its alternatives collect personal contact details of people who didn't agree to share them.

It's as simple as that.

With big data comes great responsibility!

As I demonstrated above, the companies behind these apps don't take any responsibility nor do they demonstrate actual transparency in their practices.

Apps like Truecaller and other intrusive apps start off by demanding a lot of permissions and work on security later.

The security concerns along with the transparency and privacy concerns lead me to one recommendation:

Avoid intrusive apps and be careful about the permissions you grant.

Remember, your device contains information about your friends and family.

Sharing private information which other people entrusted you with is not something a friend should ever do.

By Dennis Z

Privacy fanatic & online marketing guru

A millennial privacy freak who wouldn’t normally even put his first name anywhere, not to mention his last name or his photo. Having learned basic programming at the advanced age of 11, computers have always been a part of his life in every aspect.

More Stories By Dennis Z

How to Install Avira Antivirus 2016 - The Complete Guide

Check out this detailed illustrated tutorial and learn how to install... More >

Bullguard Antivirus 2016 Review: Great Real-Time Protection

Bullguard provides excellent real-time protection and an extremely light-weight gaming mode, making... More >

How to Uninstall AVG Antivirus 2016 without Leaving a Trace

Learn how to remove AVG antivirus from your computer without leaving... More >

Logo
Fat Security

JOIN OUR MAILING LIST

We promise to only send really good deals and important updates. No spam.