Assessment of Most Used Apps
The review of the 20 most widely used mobile applications across Africa shows persistent and systemic privacy risks across categories.
Social networking apps remain the largest group at 40% (down from 60% last year), followed by file-sharing apps at 10%, with all other categories including mobile banking, email, web browsing, online shopping, betting, productivity, and streaming each accounting for 5%.
Categories of Most Used Apps
The assessment also reviewed the 20 most widely used mobile applications across the evaluated countries. Consistent with last year's findings, social networking apps remained the largest category, though their share declined to 40% of the top apps from 60% in the previous analysis. File-sharing apps were next at 10%, while the other categories — including video streaming, email, web browsing, e-Bible apps, video editing tools, mobile banking, caller ID and spam blocking, productivity tools, online shopping, and sports/betting apps — each accounted for 5%, down from about 6.7% each last year.
This relative decline in the prevalence of social networking apps signals weakening or inconsistent privacy protections, even as these platforms continue to process extensive sensitive personal data such as user profiles, interactions, location information, contacts, and behaviour patterns. The regression may reflect expanded data uses (for example, for AI training or advanced advertising), increased third-party integrations, or slower adaptation to evolving regulatory requirements. Other app categories similarly lag, often lacking basic safeguards. The even lower performance among non-social categories underscores systemic shortcomings throughout the ecosystem.
These deficiencies have direct adverse effects on data subjects' rights under established national and international data protection frameworks. Fundamental rights related to information and transparency, access and portability, rectification and erasure, restrictions on processing and objection, and protection from automated decision-making are increasingly at risk, particularly in categories scoring below social networking apps such as mobile banking, email, web browsers, and file-sharing services. For instance, financial applications managing transaction data or browsers tracking user activity may expose individuals to extended data retention, unauthorised sharing, or breaches without sufficient mechanisms to exercise their rights. This erosion of protections undermines user autonomy and heightens the risk of identity theft, discriminatory profiling, and financial harm.
Across categories, common deficiencies include excessive collection of personal data beyond what is strictly necessary, inadequate encryption of data both in transit and at rest, opaque data-sharing practices with advertisers and partners, deficient consent mechanisms (such as pre-ticked boxes or bundled consents), and a lack of transparent reporting or comprehensive data protection impact assessments.
Potentially Dangerous Apps
The figure above highlights 14 apps classified as potentially dangerous based on the number of embedded trackers and permissions, an increase from 10 last year, indicating a growing risk in mobile privacy. Trackers are pieces of software embedded in apps to collect and store information about users' online behaviours, such as websites visited, links clicked, time spent in different features, device identifiers, and location data. While tracking can support useful functions like crash reporting and app performance analytics, it also enables detailed profiling and personalised advertising, often without clear user understanding or meaningful consent, posing significant privacy risks.
Several widely used apps demonstrate particularly high tracker counts. Google-branded apps remain prominent, reflecting extensive data collection across services such as Search, Maps, Gmail, and YouTube, which can include location, browsing behaviour, and personal identifiers. This practice raises concerns about transparency and user control, and may trigger compliance issues under regulations like GDPR. File-sharing apps such as Xender similarly show high tracking activity despite their primary function not requiring such extensive data collection, suggesting potential use of collected data for profiling and advertising rather than core functionality.
Messaging and social platforms like WhatsApp, Instagram, Facebook, X (formerly Twitter), and Facebook Messenger also exhibit substantial tracking.
Although some apps offer encryption for communication content, trackers still collect metadata (e.g., device information and interaction patterns), which can be used to build detailed user profiles with limited transparency or control.
Email and video platforms like Gmail and YouTube show similar patterns, where invisible trackers or behavioural data capture can reveal engagement behaviour and expose users to profiling or third-party data flows without explicit consent.
Other popular apps such as TikTok, Snapchat, Truecaller, SHAREit, and CapCut each contain significant tracker footprints despite disparate functions, amplifying broader privacy and data protection concerns across categories. In particular, tracking mechanisms that collect identifiers and behavioural signals can erode user autonomy and increase the risk of data sharing beyond necessary operational purposes.
Across this set of high-tracker apps, key issues include a lack of clear disclosures and consent mechanisms, pervasive data collection that exceeds functional necessity, and limited user control over how personal information is used and shared, with potential implications for profiling, targeted advertising, and security vulnerabilities such as data breaches. These findings underscore the urgent need for stronger transparency, improved consent practices, data minimisation, and enhanced compliance with data protection principles to protect users' rights and personal data in a landscape where pervasive tracking has become the norm rather than the exception.
Analysis of Mobile App Trackers
The analysis of trackers embedded in the most-used apps reveals a high concentration of a small number of recurring tracking technologies, rather than a diverse ecosystem. Google Firebase Analytics emerges as the most dominant tracker, appearing in roughly 70% of the sampled apps, followed by Google AdMob at approximately 45%, and Facebook (Meta) technologies such as Facebook Login and Facebook Share at around 40%. Google Analytics, Google Crashlytics, and AppsFlyer also show notable recurrence, each appearing in approximately 30–35% of apps. This pattern indicates that a limited set of trackers form the core surveillance infrastructure of popular applications. Importantly, most apps do not rely on a single tracker; instead, they deploy multiple trackers simultaneously, creating layered and overlapping data collection practices that significantly increase cumulative privacy risk.
In sum, the analysis shows that tracking in popular apps is highly concentrated and dominated by a small number of corporate ecosystems, rather than being evenly distributed across many providers. Google trackers account for almost half of all observed tracking activity (45.5%), while Meta (Facebook) trackers contribute nearly a quarter (22.7%), meaning that over two-thirds of user data flows are directed to just two companies. This dominance is driven by the widespread, often default, use of analytics, advertising, and identity SDKs that are deeply embedded in app development workflows and frequently deployed together within the same app.
While trackers are commonly justified as necessary for analytics, monetization, performance monitoring, and growth measurement, the findings indicate that their scale, persistence, and overlap significantly amplify privacy risks. Users are routinely exposed to layered tracking that enables cross-app aggregation, long-term profiling, and data sharing with third parties they have no direct relationship with or practical ability to avoid. As a result, the primary privacy concern is not the presence of any single tracker, but the cumulative impact of dominant tracking ecosystems, which systematically reduce user control, weaken meaningful consent, and pose material challenges to data protection and privacy rights.
A striking feature of the findings is the concentration of tracker ownership among a few large technology companies, primarily Google and Meta (Facebook). Google-owned trackers — including Firebase Analytics, AdMob, Google Analytics, Crashlytics, and Tag Manager — collectively appear in over 80% of the sampled apps, positioning Google as the dominant backend data processor across the mobile app ecosystem. Meta follows closely through Facebook Login, Facebook Share, Facebook Ads, and Facebook Analytics, which together appear in more than half of the apps analysed. Attribution and advertising trackers such as AppsFlyer, Adjust, Unity Ads, Vungle, Mintegral, and Pangle further extend data flows to a broader advertising technology ecosystem. This concentration means that user data generated across ostensibly unrelated apps is frequently funnelled to the same corporate entities, increasing the likelihood of cross-app aggregation, profiling, and long-term retention beyond the control or awareness of users.
Analysis of App Permissions
App permissions are requests made by applications to access specific features or data on your mobile phone, such as your camera, contacts, location, or storage. These permissions are necessary for certain app functions. For example, a navigation app needs location access to provide directions, or a messaging app requires access to contacts to help you communicate. When used appropriately, permissions enable apps to deliver their intended services efficiently and securely. However, granting permissions without understanding their necessity can expose your personal data to misuse or compromise your privacy. Excessive permissions could lead to potential risks like data breaches, targeted advertising, or unauthorised access to sensitive information. Examples of these are apps that request access to multiple sensitive areas like your camera, storage, location, and call logs without a clear justification for why all of these are needed.
Across the apps analysed, a relatively small set of permissions recur consistently, indicating common design patterns rather than app-specific necessity. The most prevalent permissions, as highlighted in the figure above, fall into three broad clusters: network and background operation permissions (such as INTERNET, ACCESS_NETWORK_STATE, ACCESS_WIFI_STATE, WAKE_LOCK, FOREGROUND_SERVICE, and RECEIVE_BOOT_COMPLETED), media and sensor access permissions (including CAMERA, RECORD_AUDIO, READ_EXTERNAL_STORAGE, and the newer READ_MEDIA variants), and identity, advertising, and account-related permissions (notably GET_ACCOUNTS, AUTHENTICATE_ACCOUNTS, AD_ID, and AdServices attribution permissions). Their high recurrence reflects the fact that most modern apps rely on persistent connectivity, background syncing, analytics, notifications, media sharing, and monetisation through advertising or in-app purchases.
From a functional perspective, many of these permissions are defensible in isolation. Network and foreground service permissions enable real-time messaging, media uploads, notifications, and smooth app performance; media and camera access supports core features such as photo sharing, video recording, and content creation; advertising and attribution permissions are used to measure installs, personalise ads, and sustain free-to-use business models.
However, the privacy reality emerges when these permissions are combined and persist over time. Continuous network access paired with background execution and device wake locks allows apps to operate almost continuously, while media, microphone, and camera permissions create pathways to highly sensitive personal data. Advertising and account-related permissions further enable linkage between app activity, device identifiers, and user profiles, often across multiple services and apps.
The cumulative impact on user privacy is therefore significant. Rather than isolated data points, these permissions facilitate broad behavioural visibility, revealing where users are, who they communicate with, what media they create or consume, and how they interact with their devices. Even permissions considered "low risk" on their own such as network state or Wi-Fi access can meaningfully contribute to profiling when combined with identifiers and background operation.
For a privacy scorecard, the key concern is not merely whether permissions are technically justified, but whether their scope, frequency, and persistence are proportionate, transparently disclosed, and meaningfully controllable by users. In practice, the high recurrence of sensitive and quasi-sensitive permissions suggests a structural imbalance where user data protection is often secondary to optimisation, monetisation, and convenience.