Finance apps are much more interested in you than you think

Most people download finance apps to check their balances, transfer money, and maybe pay a bill. But it turns out these apps are interested in much more than just finance-related activities. Cybernews has analyzed 44 of the top finance apps and the permissions they request.

Our research reveals that most of the analyzed apps are involved in ad networks, meaning they use information about how you interact with ads, your spending patterns, and even your personal interests to make money through ads.

The team also uncovered the widespread use of dangerous permissions, such as camera and location access – data that isn’t essential for a finance app to work.

Most finance apps we analyzed are connected to ad networks

The majority of the finance apps we looked at collect a device’s Advertising ID, which lets ad networks recognize your device and tie it to past activities. Almost three-quarters request a permission that tracks the ads you click and what you do afterwards, such as buying something or downloading another app (i.e., ad attribution).

It’s great for marketers, but it can also build a behavioral profile of you.

A smaller group of apps also collects data on your topics of interest and places you into audience groups for more accurate ad targeting.

One positive thing to point out is Google’s new Privacy Sandbox, thanks to which ad-related data access has become more privacy-preserving. Instead of apps directly requesting ad-related permissions, they now interact with Sandbox APIs controlled at the OS level, meaning that Android, not the app, manages the data and user controls in a centralized location.

However, many apps do not request user consent before using Privacy Sandbox APIs, even though Google strongly encourages this. While users can opt out manually through settings, many don’t even know they’re subject to such ad tracking in the first place.

Why is the use of ad networks so concerning?

We don’t know for sure where the data collected through ad networks ends up and how it’s used.

For example, will banks know to raise interest rates or deny users credit based on the data collected on them? Also, will the companies serving ads receive data on your income and spending habits through ad networks?

There’s no definitive answer to this, but the lack of transparency and weak consent enforcement mean we cannot be certain where user data flows and who has access to it.

More questionable permissions were detected

Our researchers also found a long list of other sensitive permissions that finance apps request – many of which have little to do with actually running a finance app.

For example, 86% of the apps ask for camera access. Outside of occasional ID verification, it’s hard to see why nearly every finance app would demand this.

In addition, 61% of the apps also request microphone access. Camera and microphone access doesn’t automatically mean apps are secretly filming and listening to you, but it does widen the attack surface and make users more vulnerable in case of a data breach. In a worst-case scenario, a hacker might be able to spy on you through these permissions, and you wouldn’t even know it.

Location is another big one, with 77% of apps asking for precise location tracking. While location data can help with fraud prevention and compliance, there’s no need for precise location tracking – an approximate location would serve the same purpose. Twenty-seven percent of the analyzed apps also request access to background location tracking, meaning they want to know where you are 24/7, even when you’re not using the app.

Storage permissions were also surprisingly common. Sixty-eight percent of apps want to read files from your device, and 61% want to write to them. Some of this may be explained by check deposits or exporting statements, but broad storage access creates risks: if the app is ever compromised, it suddenly has a window into your personal files.

Other permissions raise eyebrows too. About half the apps want to know your network type, SIM status, and call activity. A third of the apps want the ability to download files silently in the background without notifying you.

A smaller group of apps wants to initiate phone calls or see which accounts you’ve added to your device (such as Google or OneDrive).

And then there are the head-scratchers: some apps want to be able to edit your contacts and calendar, and some want to see your full list of installed apps. Maybe there’s a niche feature behind each one, but collectively, it looks a lot like permission creep.

Which apps had the most dangerous permissions?

Out of the 44 analyzed finance apps, 15 stood out for requesting the most dangerous permissions, such as camera and location access.

EarnIn – an app that lets you receive your earned money before your payday – is number one, with 14 dangerous permissions collected. The list includes many other well-known and widely used finance apps.

Why excessive app permissions are concerning

One risk of excessive app permissions is function creep: a permission you gave for one purpose – like letting an app access your contacts to split a bill – may later be repurposed for something entirely different.

Another risk is third-party sharing, where your data gets quietly passed to brokers or analytics firms that build detailed profiles of your habits.

The more organizations that have access to your data, the greater the risk of leaks, misuse, or even exploitation. But it’s not just organizations that may get access to your data – the worst-case scenario is when that data gets into the hands of hackers.

Worst-case scenario: if hackers get in

Data breaches are much more common than people think: in the first half of 2025 alone, the US had more than two million breached accounts. If an app with excessive permissions suffers a data breach, malicious actors may gain information about users’ names, location histories, contact lists, and even personal calendars. The more permissions an app has, the more vulnerable users are.

Once hackers obtain this information, users are exposed to all sorts of dangers, such as:

• Identity theft: Hackers may try to impersonate you if your name and other personal information is leaked.
• Spear phishing: Hackers may use your personal information to try to scam your friends and family – for example, they may reach out to them pretending to be you. They may craft compelling messages asking them to click on a malicious link, send money, or provide more sensitive information.
• Stalking: Through location data, hackers may be able to find out about your daily routine and places you frequently visit. This can make it easier to stalk you and possibly time home burglaries when you’re not home.
• Blackmail/extortion: If hackers obtain sensitive data through camera/microphone access or sensitive files through storage permissions, they may try to blackmail you.
• Doxxing: Some malicious actors may publish sensitive information on victims with the sole purpose of intimidating or shaming them.

These are just a few specific threats users face when their sensitive information leaks. Depending on a hacker’s skill level and creativity, users can be exposed to a wide range of other threats.

Here’s what you can do to stay safe

To stay safe, practice the principle of least privilege – only grant permissions necessary for apps to perform their functions. Go through your full list of apps and revoke all unnecessary permissions. Also, delete any apps that you no longer use – they may be collecting data on you in the background. The same goes for new apps – don’t blindly accept all permissions just because you’re in a rush to start using the app.

Finally, update your apps regularly (preferably, set up automatic software updates). Updates often include security fixes to known software vulnerabilities that can be exploited by malicious actors.

Methodology

On August 6th, the Cybernews research team began investigating finance apps and the permissions they request. The team selected Google Play’s auto-generated “Top free finance apps” list, which included 45 apps, and successfully downloaded 44 of them directly from the Play Store using a third-party tool.

Next, researchers created custom scripts to extract the permissions requested by each app, taking declarations directly from AndroidManifest.xml files in each application package.

Finally, the researchers enriched these permission lists using the Android 16 version of AOSP (Android Open Source Project) to categorize dangerous permissions and determine which permissions are granted automatically, without the user’s knowledge or consent.