8 Common iPhone Apps That Are Actually Spying On You

Even the toughest privacy policies can’t fully prevent data exposure. Your favorite apps may be peeking at more than you think. Some unnecessarily track your location, search history, and usage habits. Others have compiled unauthorized dossiers of user information or tracked logged-out individuals in violation of restrictions. Major apps and the companies behind them have been fined in Europe, sued in the United States, banned in certain Western security services, and investigated criminally and civilly. Data is gold in the new age of information, and the next scandal involving its improper or downright illegal use won’t be the first. 

Apple has made a point of presenting itself as a privacy-first option in a market where that’s not always the top selling point. Yet the App Store and Google Play Store represent enormous, dynamic environments. And the companies behind the apps in them can toe — or even cross — the line. On the App Store, Apple has an automated system to block apps with malware or malicious code, but that doesn’t mean all of your data will stay private. A 2025 NowSecure report found that 75% of iOS apps tested contained both sensitive data and tracking domains, a juxtaposition that should raise the alarm in any privacy-conscious individual. Spying can be anything from bending the rules of the User Agreement to actual concerns about international espionage. Here, we’ll take a look at 10 common iPhone apps that have been tangled up in questionable privacy practices. 

Siri is Apple’s own example of how its privacy-first promise doesn’t always hold up in practice. In 2019, it was revealed that Apple had hired contractors to review audio recordings made by Siri to improve its performance. Those recordings reportedly included private conversations, medical discussions, business calls, and even intimate encounters. After the backlash, Apple apologized, saying it would add an opt-in requirement and limit Siri audio reviews to Apple employees only. 

It’s worth noting that Siri doesn’t always wait to be summoned. Background noise or similar-sounding words can accidentally trigger it, sometimes recording without you realizing it. Apple claims it will delete any recording determined to be an accidental Siri trigger.In 2025, Apple agreed to pay $95 million to settle the controversy over Siri’s audio recordings. The civil case covered recordings of U.S. users from September 2014 to December 2024. However, the settlement spurred more trouble for Apple in Europe. French authorities launched a criminal investigation in October 2025 after a whistleblower filed a complaint of eavesdropping with a human rights organization. The result of that investigation is pending, but it is another blow to Apple’s self-image as a protector of consumer data.

Even the widely used Google Chrome browser isn’t immune to security exploits. Apple regularly patches its software, such as the zero-day vulnerability fixed in iOS 18.6 in July 2025, to prevent hackers from accessing your data and stealing your passwords. The recent controversy surrounding Chrome centers on the browser’s ostensibly private Incognito mode.

The much-debated Incognito mode isn’t as private as it seems, since your session data can still be collected. In April 2024, Google agreed to delete billions of private browsing records to settle a class-action lawsuit filed in 2020. The lawsuit alleged that Chrome collected browsing information from users who were not logged in and using Incognito mode between June 2016 and the time of the complaint in June 2020. Google agreed to the settlement but registered its dissent regarding the validity of the claims. Google then updated its disclosure to make it clearer that Incognito mode is not a super-stealthy porthole to the deepest reaches of the unrecorded web. Some data will be tracked, including in Incognito mode. 

The Incognito controversy reinforced a broader concern about how Google handles user data. Chrome is a Google product designed to suck up information, and the parent company will always dictate its behavior. In September 2025, a federal jury in San Francisco ordered Google to pay $425 million for collecting data from mobile devices, including iPhones, even when users opted out of tracking. Google is a behemoth with tentacles in every pocket and home in the developed world, and it will make the most of its most precious commodity. Notably, all this from a company that removed the requirement to refrain from evil from its code of conduct in 2018. 

Meta, the tech giant that also owns Instagram and Facebook, has repeatedly come under scrutiny for its data collection and privacy practices. In 2025, its controversial “consent or pay” model was found to breach E.U. data protection rules by pressuring users to share more data than necessary. On iPhone, to use Instagram and Facebook for free, users had to allow these apps to collect activity, device, and location data for personalized ads, while subscribers could pay a monthly fee to browse without ad tracking. In April 2025, Meta was fined €200 million in the E.U. for forcing Facebook and Instagram users to either pay for an ad-free version or agree to data tracking.

The company’s data practices remain under scrutiny. Recently, 200 French media outlets sued Meta for allegedly collecting users’ personal data without consent to fuel its advertising network. Additionally, in 2022, Instagram was found to have mishandled minors’ data by allowing children aged 13 to 17 to open Instagram business accounts that publicly exposed their contact information. In the same year, Ireland’s Data Protection Commission fined Meta €405 million after concluding that the platform failed to protect children’s privacy or obtain proper consent, in violation of the E.U.’s data protection laws. Similarly, in 2023, a U.S. lawsuit accused the company of violating child privacy laws under the Children’s Online Privacy Protection Act (COPPA) for collecting children’s personal data without consent.

Despite its popularity, TikTok has long faced scrutiny over its alleged links with the Chinese government and accusations of sharing user data. In May 2025, Ireland’s Data Protection Commission fined TikTok €530 million for failing to properly protect the personal data of European users under E.U. data protection law, after finding that user data was accessible to staff in China.

The relationship between the state and businesses in China is closer than in the United States. As a result, many countries, including Canada, Australia, Taiwan, and Norway, have placed restrictions on TikTok’s use on government devices to prevent that endless stream of information from falling into the wrong hands. In the U.S., TikTok’s fate has swung back and forth as the Biden and Trump administrations’ differing policies left the app’s future unclear. In 2025, TikTok was removed from Apple’s App Store and Google Play for a brief period, but was later reinstated. As recently as the end of September 2025, the New York Times reported that TikTok must find a non-Chinese owner or face an American ban. 

TikTok’s extensive data collection includes keystroke patterns that can track when and how often you click. TikTok says this data helps improve security and performance, but for privacy-focused iPhone users, the addictive app may raise alarm bells. With a demonstrated history of European security concerns, TikTok may be one doom scroll to do without. 

DoorDash might be delivering your data along with your dinner. When you look at app permissions, it demands almost all data linked to you, from location, contacts, web history, to identifiers, and financial info. Far more than required to deliver a pizza. Consumers are accustomed to trading personal information to apps in exchange for convenience, but DoorDash partners its endless appetite for every byte of your information with questionable sharing practices. In 2024, California’s attorney general fined DoorDash $375,000 for violating the California Consumer Privacy Act (CCPA) and CalOPPA, after finding that it shared users’ personal data, including names, home addresses, and order histories, with marketing companies without offering consumers an opportunity to opt out. 

As part of the 2024 settlement, California’s attorney general required DoorDash to improve its privacy disclosures and submit regular reports detailing how it shares user information. In September 2025, DoorDash users filed a lawsuit in U.S. District Court, signaling further trouble for the app, but the case was ordered resolved through private arbitration. 

Free VPNs represent a security soft spot as a hive of potentially harmful actors. If you use a VPN, then all your apps pass through their servers, and if that VPN is privacy-invasive, it can log your data packets. According to a TechRadar report, free VPN apps such as Super Unlimited Proxy and Free VPN: Unlimited VPN Proxy request permissions for location, user content, and device identifier. A VPN doesn’t need most of this data to work — if the product is free, you’re the product, meaning that some VPNs may be spying on information the average consumer didn’t consider.

A 2025 investigation by Zimperium zLabs, which studied 800 free VPN apps, found that 6% of iOS VPNs requested deep system access and 25% lacked a valid privacy manifest, meaning users couldn’t see what data is collected or how it is handled. Most people use a VPN to securely connect to public Wi-Fi, as it’s often unencrypted. Instead of using a free VPN, you can enable the iPhone’s built-in VPN-like feature, called Private Relay. This will add an extra encryption layer by hiding your IP address and preventing the ISP from seeing your browser activity. If you often rely on VPN apps, it’s best to choose a trusted, highly rated option such as Norton VPN, which prioritizes protecting your data over profiting from it.

If you’re using LinkedIn on your iPhone, your data may be doing more networking than you anticipated. Behind its business-friendly interface, LinkedIn collects extensive data from iPhone users, including contacts, job history, device identifiers, and activity logs. LinkedIn says this helps improve recommendations and ad targeting, but regulators have found that its data use often goes beyond what’s necessary for core features. For instance, in 2024, security researchers at Mysk Inc. found that the LinkedIn iPhone app collected device details such as timezone, brightness, and mobile carrier via push notifications, even when users didn’t open them. This background data gathering, known as fingerprinting, helps identify devices for targeted ads and tracking, circumventing Apple’s policies to do so.

In October 2024, Ireland’s Data Protection Commission fined LinkedIn €310 million after finding that it unlawfully used personal data in behavioral analysis, such as tracking clicks, searches, and time spent on pages, to serve targeted advertising. Around the same time, it was revealed that LinkedIn had begun training its AI models on user data before updating its terms of service to provide awareness to consumers in addition to an opt-out toggle. For iPhone users who see LinkedIn as a safe space for professional growth, these revelations show how even productivity apps can overstep.

iPhone cleaner apps like Cleaner Kit by BPMobile can help you optimize your device storage by removing duplicate photos, compressing large videos, and deleting spam emails. While this may sound productive, the app collects nine categories of data, including coarse location, user ID, and product interaction, and shares it with third parties, raising concerns about why a cleaner app needs location access.

Cleaner Kit isn’t alone. A 2025 Surfshark analysis revealed striking data-sharing patterns among cleaner apps. The study analyzed 10 popular cleaner apps on the App Store, including Cleaner Kit, Cleanup, AI Cleaner, and Cleaner Guru, and found that these apps share user data with third parties for analytics, and in some cases, even with data brokers who use it to deliver personalized ads.

Surfshark found that 70% of cleaner apps share user data, including location, purchase history, identifiers, and device IDs. While these practices may comply with privacy disclosure rules, they raise concerns about how much data utility apps really need to function.

Most everyday apps you use ask for your device’s permissions to operate. However, you cannot wholly prevent apps from collecting all your data, as some data collection is inherent to their operation. You can restrict apps from accessing the information that they don’t require. For example, if a mapping app asks for contact or media access, which isn’t necessary for navigation, you can deny it. You need to open your iPhone’s Settings, review each app’s permissions, and disable access to any that don’t need it. You can also encrypt your iCloud backup with Advanced Data Protection to keep your information secure with the highest level of cloud data security. Unfortunately, for as long as every data point about a person is for sale, apps will seek ways to gather that information, even, as we have seen, if it means skirting the privacy policies meant to protect consumer data.