Widespread Privacy Risks from Mobile App Data Practices and Regulatory Age Verification Requirements
A recent large-scale analysis of 50,000 mobile applications has revealed that over 77% of these apps leak personally identifiable information due to insecure data handling and insufficient privacy controls. The study found that many iOS applications fail to include required privacy manifests, while Android apps often circumvent explicit data-safety disclosures, creating significant blind spots in user privacy protections. These vulnerabilities are particularly concerning given the central role mobile devices play in daily communications and financial transactions, making users susceptible to tracking, profiling, and data theft. The research underscores the systemic nature of privacy risks in the mobile app ecosystem, with both platforms exhibiting gaps in transparency and compliance. In parallel, regulatory efforts to protect minors online are introducing new privacy challenges, as exemplified by Texas's SB 2420 law, which mandates age assurance for app store users and developers. Apple has voiced strong concerns that such laws require the collection and storage of sensitive personal information, such as government IDs, even for benign app downloads, thereby increasing the risk of data breaches. Starting January 1, 2026, Apple will require new account holders to confirm they are over 18, and minors will need parental consent for app downloads and purchases, further expanding the amount of sensitive data collected. Apple argues that these requirements should be limited to apps where age verification is truly necessary, warning that blanket mandates could have unintended privacy consequences. The complexity is heightened by the patchwork of state-level laws, with similar regulations set to take effect in Utah and Louisiana, compelling developers to adapt to varying compliance standards. The risks of such data collection are not theoretical; a recent breach at a third-party provider for Discord, which handled age verification, resulted in the exposure of sensitive government ID images. This incident illustrates the tangible dangers of accumulating large repositories of personal data for regulatory compliance. The convergence of insecure app data practices and regulatory-driven data collection amplifies the threat landscape for mobile users. Both industry and regulators face the challenge of balancing user safety, especially for minors, with the imperative to minimize unnecessary data exposure. The findings highlight the urgent need for stronger privacy-by-design principles in app development and more nuanced regulatory approaches that do not inadvertently increase user risk. As mobile platforms continue to evolve, ongoing vigilance and collaboration between stakeholders will be essential to safeguard user privacy. The situation calls for immediate action from app developers, platform providers, and policymakers to address these multifaceted privacy threats. Users are advised to remain cautious about the permissions they grant and the information they share with mobile applications. The broader industry must prioritize transparency, user control, and robust security measures to restore trust in the mobile app ecosystem.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Apple raises privacy concerns over age-check law
Apple publicly voiced concerns that a proposed age-verification law could put user privacy at risk. The company warned that compliance with the measure could require collection or exposure of sensitive personal information.
Study reports 77% of mobile apps leak sensitive data
A Zimperium-published study found that more than 77% of mobile applications expose sensitive data and create privacy risks for users. The report highlighted widespread mobile app security and privacy weaknesses.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Android Mobile Apps Expose Sensitive User Data Through Security Weaknesses and Side-Channel Attacks
Researchers have uncovered significant security and privacy issues in Android mobile applications, particularly those in the healthcare sector. A comprehensive study analyzed 272 healthcare-related Android apps, revealing that many transmit sensitive user data without encryption, store files insecurely, or share information with third-party components without adequate safeguards. The research team employed multiple static analysis tools, including MobSF, RiskInDroid, and OWASP Mobile Audit, to assess the security posture of these apps. MobSF identified weaknesses in permissions, network handling, certificate management, and manifest configuration, with app security scores ranging from 35 to 60 out of 100. RiskInDroid found that 150 apps used undeclared permissions, potentially creating hidden channels for data exfiltration, and flagged proprietary permissions that could bypass standard Android security controls. The OWASP Mobile Audit of 95 apps detected issues such as unencrypted local storage, hardcoded credentials, and missing input validation, mapping these weaknesses to the OWASP Mobile Top 10 categories. In parallel, researchers have demonstrated that some Android apps can bypass operating system permissions to access sensitive data through hidden methods and side-channel attacks. One such attack, dubbed 'Pixnapping' and tracked as CVE-2025-48561, allows a malicious app to capture screen display pixels, potentially exposing sensitive information like two-factor authentication codes. The Pixnapping attack was demonstrated on multiple devices, including Google Pixel 6 through 9 and Samsung Galaxy S25, and is conceptually similar to a 12-year-old browser-based data-stealing technique. Despite previous attempts by Google to address this vulnerability, researchers showed that the flaw remains exploitable on Android versions 13 to 16. The ability of apps to sidestep permissions and leverage hardware side channels raises serious concerns about the effectiveness of current Android security controls. These findings highlight the urgent need for stronger app vetting processes, improved permission management, and enhanced user awareness regarding the risks of installing mobile applications. The exposure of sensitive healthcare data is particularly alarming, given the potential for identity theft, fraud, and privacy violations. Security experts recommend that users exercise caution when granting permissions to apps and that developers adhere to best practices for secure coding and data protection. The research underscores the importance of regular security assessments and updates to address emerging threats in the mobile ecosystem. Industry standards such as the OWASP Mobile Top 10 provide a useful framework for identifying and mitigating common vulnerabilities. The ongoing discovery of new attack vectors, such as Pixnapping, demonstrates that attackers continue to innovate, necessitating a proactive and layered approach to mobile security. Organizations handling sensitive data, especially in healthcare, must prioritize mobile app security to protect user privacy and comply with regulatory requirements. The convergence of insecure app design and advanced attack techniques poses a growing threat to the confidentiality and integrity of user data on Android devices.
Mar 21, 2026
Consumer Attitudes and Regulatory Shifts in Online Data Privacy and Age Verification
Recent research highlights that a majority of consumers believe they are primarily responsible for their own data privacy, with 67% of survey respondents indicating personal agency as the main factor in protecting their information. Despite this, consumers expect technology companies and regulatory agencies to support privacy through transparent systems and informed consent. However, practical decisions, such as choosing between free, ad-supported services and paid, privacy-focused alternatives, reveal that cost remains a significant factor in user choices, often outweighing privacy concerns. Simultaneously, 2025 saw the widespread implementation of online age verification requirements across Europe and the US, particularly for adult content and other regulated sites. These measures, intended to protect minors, have resulted in increased use of ID checks, geo-blocking, and VPN circumvention, raising new privacy and usability challenges. The tension between safety and privacy is evident, as most age verification methods require users to submit sensitive personal data, increasing the risk of exposure in the event of a breach. Regulators continue to push for stronger identity verification, but the practical impact has been confusion and restricted access for many users.
Mar 21, 2026
Apple Expands App Store Age Assurance and 18+ Download Restrictions
Apple introduced expanded *age assurance* capabilities for the App Store to support compliance with new or emerging regulations in multiple jurisdictions, including Brazil, Australia, Singapore, Utah, and Louisiana. As of **Feb. 24, 2026**, Apple began blocking downloads of **18+ rated apps** in Brazil, Australia, and Singapore unless the user is confirmed to be an adult, using what Apple describes as “reasonable methods” for age confirmation. Apple also expanded the **Declared Age Range API** (iOS/iPadOS/macOS) and related platform components (including PermissionKit’s *Significant Change API*, a new StoreKit age-rating property type, and App Store Server Notifications) to provide developers with an age category plus signals about the assurance method and whether regulatory requirements apply; in Brazil, certain disclosures (e.g., loot boxes) can drive an app’s rating to **18+**. Broader policy debate continues around online age assurance in the U.S. and internationally, with jurisdictions adopting or considering stricter mandates and platforms preparing new verification requirements. Public skepticism remains elevated due to backlash against age-gating (including reported VPN usage spikes in response to the UK’s requirements) and concerns about data security following breaches at age-verification providers (e.g., **Sumsub** disclosing a previously undetected 2024 compromise). The policy environment is also being shaped by U.S. state laws and litigation, including the Supreme Court’s decision in *Free Speech Coalition v. Paxton* upholding Texas’s age verification law, while proponents argue that privacy-preserving age assurance approaches are becoming more technically mature and scalable.
Mar 26, 2026