How to Secure Your iPhone and Android Device Against Nation-State Hackers

US cybersecurity officials updated their mobile security recommendations this week, warning that sophisticated hackers are bypassing device protections by manipulating users directly.

The Cybersecurity and Infrastructure Security Agency released revised guidance on November 24, adding new warnings about social engineering tactics targeting encrypted messaging apps. While the recommendations target high-risk individuals in government and politics, the advice applies to smartphone users globally.

Why the Update Matters

Nation-state hackers from foreign countries breached commercial telecommunications networks in 2025. They stole customer call records and intercepted private communications for targeted individuals. The attacks prompted CISA to expand its December 2024 mobile security guidance.

The threat extends beyond technical vulnerabilities. Hackers are tricking people into compromising their own security.

Four New Warnings About Messaging Apps

CISA identified specific tactics hackers use against apps like Signal and WhatsApp:

Fake security alerts. Hackers claim your account is compromised to trick you into giving them control. They send messages that look like security warnings, even inside the app itself, requesting PINs or one-time codes. Be suspicious of unexpected security alerts.

Malicious QR codes and invitation links. Avoid scanning group-invitation links or QR codes from unknown sources. Verify group invitations by contacting the creator through a different channel.

Compromised linked devices. Foreign threat actors abuse the legitimate linked devices feature to spy on Signal conversations, according to a February 2025 Google report. Check your messaging app's linked devices section. Remove anything you don't recognize immediately.

Message retention. Turn on message expiration features that automatically delete sensitive messages after a set time. Check workplace policies first if using a work device.

Essential Security Steps for Everyone

Switch to encrypted messaging. Use apps like Signal that provide end-to-end encryption and work across iPhone and Android. Standard text messages are not encrypted.

Stop using SMS for security codes. Hackers with access to phone networks can intercept text messages. Use authentication apps like Google Authenticator or Microsoft Authenticator instead. Physical security keys like Yubico or Google Titan offer the strongest protection.

Some services default to SMS during account recovery even after you disable it. Check each account individually.

Use a password manager. Apps like 1Password, Bitwarden, Google Password Manager, or Apple Passwords generate strong passwords and alert you to weak or compromised ones. Protect your master password with a long, random passphrase.

Set a carrier PIN. Most mobile phone carriers let you add a PIN to your account. This blocks SIM-swapping attacks where hackers transfer your number to their device. Add the PIN, then change your carrier account password.

Update everything regularly. Enable automatic updates on your phone. Check weekly to ensure updates installed correctly.

Buy recent hardware. Older phones cannot support the latest security features, even with software updates. New hardware includes protections that older models physically cannot run.

Skip personal VPNs. Free and commercial VPNs often have questionable privacy policies. They shift risk from your internet provider to the VPN company, frequently making things worse. Work VPNs required by employers are different.

iPhone Security Settings

Enable Lockdown Mode. This feature restricts apps, websites, and features to reduce attack opportunities. Some functions become unavailable.

Turn off SMS fallback. Go to Settings, Apps, Messages and disable Send as Text Message. This keeps messages encrypted between Apple users.

Use iCloud Private Relay or encrypted DNS. Private Relay masks your IP address and encrypts DNS queries in Safari. Free alternatives include Cloudflare's 1.1.1.1, Google's 8.8.8.8, or Quad9's 9.9.9.9 DNS services.

Review app permissions. Check Settings, Privacy & Security to see which apps access your location, camera, and microphone. Revoke unnecessary permissions.

Android Security Settings

Choose secure phones. Buy from manufacturers with strong security records and long update commitments. Android maintains an Enterprise Recommended list of devices meeting security standards. Look for phones with hardware security modules, monthly security updates, and five-year update guarantees.

Enable RCS encryption. Only use Rich Communication Services when end-to-end encryption is enabled. Google Messages enables this automatically when all participants use the app.

Configure encrypted DNS. Set up Android Private DNS with Cloudflare's 1.1.1.1, Google's 8.8.8.8, or Quad9's 9.9.9.9.

Check Chrome security settings. Confirm Always Use Secure Connections is enabled to force HTTPS. Enable Enhanced Protection for Safe Browsing for extra protection against phishing and malicious downloads.

Verify Google Play Protect is running. This scans apps for malicious behavior. Hackers try to trick users into disabling it. Check app scans regularly and exercise caution if using third-party app stores or sideloading apps from other sources.

Limit app permissions. Go to Settings, Apps, Permissions Manager. Remove unnecessary access to location, camera, and microphone.

The Bigger Picture

CISA says to assume all communications between mobile devices and internet services face interception or manipulation risks. No single fix eliminates all threats, but combining these protections significantly reduces vulnerability.

The guidance acknowledges that organizations may already require some measures like secure communication platforms and multi-factor authentication. Where they don't, individuals should implement these protections themselves.

Notes: This post was drafted with the assistance of AI tools and reviewed, edited, and published by humans. Image: DIW-Aigen.

Read next:

• Study Finds AI Tools Already Match Human Skills in More Than a Tenth of U.S. Wage Value

• Want To Rank Better In ChatGPT? Data Shows Sites With Strong Authority And Depth Earn Most Citations
by Web Desk via Digital Information World

Want To Rank Better In ChatGPT? Data Shows Sites With Strong Authority And Depth Earn Most Citations

A new analysis of 129,000 domains and more than 216,000 pages, conducted by SERanking, offers one of the clearest looks yet at how ChatGPT chooses its sources.

The study tested assumptions around domain authority, recency, structured markup, and new formats like LLMs.txt. The results point to a set of consistent patterns that influence whether a page appears in an AI response. Many common claims did not hold up under the data.

The strongest signal across the dataset is the number of referring domains. Sites with more than 32,000 referring domains are more than three times as likely to be cited compared with those that have only a few hundred. Once a domain reaches that threshold, citation growth rises sharply. This trend aligns with Domain Trust performance. Domains above DT 90 earn nearly four times the citations of those below DT 43. Page Trust also matters. Pages scoring above 28 average more than eight citations, which matches the broader pattern that ChatGPT responds to signals of authority spread across a domain.

Traffic plays a significant role but only at higher levels. Domains with fewer than 190,000 monthly visitors cluster in the same citation range. A clearer lift starts when traffic passes that point. Sites with more than ten million monthly visitors average roughly eight citations. The homepage appears to be a central factor. Domains with about eight thousand organic visitors to their homepages are about twice as likely to be cited as those with only a few hundred. Rankings show a similar pattern. Pages that average positions between one and forty five receive about five citations. Pages ranked between sixty four and seventy five average about three.

Content depth and structure contribute meaningfully. Long form articles outperform shorter ones. Pages above two thousand nine hundred words average more than five citations, while those under eight hundred words average just over three. The effect is even stronger for smaller sites where length influences citations by about sixty five percent more than it does for major domains. Pages rich in statistics show stronger results. Articles with more than nineteen data points average more than five citations. Pages with expert input average more than four citations compared with roughly two for those without. Clear structure also helps. Pages with sections between one hundred twenty and one hundred eighty words gain about seventy percent more citations than those with very short sections.

• Also read: Gen Z Eschews Career Advisors as ChatGPT Becomes Their Go-To for Academic Advice, Study Shows

Freshness matters less than many expect, but updates make a clear difference. Newer content performs only slightly better than content that is several years old. The strongest lift appears when pages have been updated within the past three months. Updated articles average about six citations, almost double the figure for pages that have not been refreshed recently.

The study also examined formats such as FAQ sections and question based titles. On the surface, pages with FAQ sections or question styled headings seem to underperform. But the model’s interpretation shows that missing these sections can be a negative signal. Their impact improves when combined with strong authority and depth. They act as supporting elements rather than primary drivers.

Social presence emerged as one of the clearest contributors. Domains with millions of brand mentions on Quora and Reddit perform about four times better than those with very few. Even smaller sites can use these platforms to build trust signals if they participate in discussions and generate genuine mentions. Review sites show a similar pattern. Domains present on platforms such as Trustpilot, G2, Capterra, Sitejabber, and Yelp average between four and six citations. Those absent average less than two.

Technical performance shows a consistent relationship. Fast loading pages with an FCP under zero point four seconds average almost seven citations, while slower sites fall to about two. A similar pattern appears in Speed Index results. INP scores behave differently though. Pages with moderate INP, around zero point eight to one point zero, perform best. Extremely fast INP scores tend to appear on simpler pages that attract fewer citations overall.

The study found little benefit from LLMs.txt files. They showed no meaningful impact on citation likelihood and even reduced predictive accuracy during testing. FAQ schema markup also showed minimal influence. Pages without it averaged slightly more citations than those using it, which suggests that LLMs respond more strongly to logical structure in the content itself.

All in all, the results point to a hierarchy that favors authority, depth, structure, technical quality, and visible engagement across platforms. Smaller domains can compete when they produce thorough content, maintain clear structure, update consistently, and build authentic presence on discussion and review sites. Large domains benefit most from their existing trust signals but still gain from fast, well maintained pages.

The data shows that AI models reward the same fundamentals that shape strong websites more broadly.

Notes: This post was drafted with the assistance of AI tools and reviewed, edited, and published by humans.

Read next: Study Finds AI Tools Already Match Human Skills in More Than a Tenth of U.S. Wage Value
by Asim BN via Digital Information World

Study Finds AI Tools Already Match Human Skills in More Than a Tenth of U.S. Wage Value

A new analysis from researchers at MIT and Oak Ridge National Laboratory outlines how current AI systems already match human capabilities across a significant share of the labor market. The Iceberg Index, the study’s central measure, shows that digital AI tools can technically perform tasks linked to about eleven point seven percent (11.7%) of total U.S. wage value. The estimate covers roughly one point two (1.2) trillion dollars in work spread across finance, healthcare, administrative services, and professional roles.

The researchers stress that this figure reflects technical exposure rather than predicted job loss. The index measures where AI systems can perform skills found in existing occupations and maps those capabilities across 151 million workers. It does not attempt to forecast adoption timelines or employment outcomes. Instead, it gives policymakers and businesses a forward-looking view of skill overlap that traditional workforce data cannot capture.

To build the index, the team created a detailed digital representation of the labor market using more than 32,000 skills, 923 occupations, and 3,000 counties. Each worker appears as an agent with a skill profile and geographic location. The same skill taxonomy is applied to more than 13,000 AI-powered tools such as copilots and workflow systems. When combined, these datasets show where human and AI capabilities intersect and how much wage value is tied to tasks that AI systems already demonstrate in practice.

One section of the study focuses on what it calls the Surface Index, a view limited to current visible AI adoption. This portion of the labor market is concentrated in computing and technology roles and represents about two point two percent of wage value, or roughly 211 billion dollars. That cluster captures the most publicized examples of automation in software development and related fields. The broader Iceberg Index expands beyond those areas and reveals that the scale of potential task coverage is much larger and reaches well outside major tech hubs.

The analysis shows that administrative, financial, and professional service jobs account for much of the hidden exposure. These roles rely on cognitive and document-processing tasks that AI tools can already perform. As a result, every state registers measurable exposure even when local economies have small technology sectors. The study points specifically to manufacturing regions where white-collar coordination and support functions show far higher exposure than commonly assumed.

Several states have already integrated the index into early planning efforts. Tennessee, North Carolina, and Utah worked with the research team to test model accuracy and explore how policy choices might influence local outcomes. Officials can use the platform to examine county-level skill patterns and experiment with training programs or workforce investments before allocating significant funds.

The study also compares the index with traditional benchmarks such as GDP, income, and unemployment. These indicators show little alignment with the broader Iceberg Index and explain only a small share of state-to-state variation in exposure. This gap suggests that familiar economic signals may not reflect how AI capabilities intersect with real work, making skill-based measures more useful for anticipating transitions.

The authors note several limitations, including the focus on digital AI tools rather than robotics and the decision to measure technical capability rather than adoption behavior. Even with these boundaries, the index offers one of the clearest views yet of how AI fits into the structure of the modern workforce. The findings point to an economy in which AI reaches far beyond visible technology jobs and into routine tasks across the country, creating a need for workforce strategies that match the scale of the transition.

Notes: This post was drafted with the assistance of AI tools and reviewed, edited, and published by humans.

Read next: EU Member States Agree on Draft Online Child Protection Rules Without Mandatory CSAM Scanning
by Web Desk via Digital Information World

EU Member States Agree on Draft Online Child Protection Rules Without Mandatory CSAM Scanning

European Union member states have reached a common position on draft legislation aimed at strengthening online child protection, stopping short of requiring global technology companies to identify or remove child sexual abuse material. As per Reuters, the announcement was made Wednesday by the European Council.

The new Council text differs from a 2023 European Parliament proposal, which would have mandated that messaging services, app stores, and internet providers report and remove known and newly detected abusive content, including grooming materials. Under the Council’s draft, providers are now required to assess the risks of their services being used to disseminate such material and implement preventive measures where necessary. Enforcement is delegated to national authorities rather than the EU.

Companies could still voluntarily check for abusive content "beyond April next year", when current online privacy exemptions expire. The legislation also establishes an EU Centre on Child Sexual Abuse, designed to support member states in compliance and provide assistance for victims.

The Council’s approach has been described as less prescriptive than earlier proposals, focusing on risk assessment rather than compulsory monitoring or scanning. Some critics have raised concerns that allowing companies to self-assess could have implications for privacy and encrypted communications.

The European Parliament has separately called for minimum ages for children accessing social media, but no binding legislation on this issue currently exists.

EU member states must now finalize details with the European Parliament before the regulation can become law.

Notes: This post was drafted with the assistance of AI tools and reviewed, edited, and published by human. Image: DIW-AIgen

Read next: Gen Z Eschews Career Advisors as ChatGPT Becomes Their Go-To for Academic Advice, Study Shows
by Asim BN via Digital Information World

Research Across Retailers Confirms Holiday Tactics Often Fail, Highlighting Evidence-Based Engagement Strategies

Marketing conventions are comfortable things. Marketers hold onto them - fall into well-worn grooves - especially when there’s money on the line. During busy periods, when every decision carries more weight, it can be comforting for everyone involved to opt for the familiar, proven choice. During Black Friday, brands can offer deeper discounts to drive sales. To grab attention, brands can add more urgent language. And to stand out, brands can use customers' names to stand out from the crowd. Marketers have spent so long deploying these tactics that they’ve stopped questioning their efficacy - and whether they actually work anymore.

Jacquard, a London-headquartered marketing platform, recently analysed over 200 billion email sends from major retailers over the past decade - looking specifically at campaigns during Black Friday, Cyber Monday and Christmas - to find out if these conventions really did work, or if the marketing world was barking up the wrong tree.

Perhaps one of their most significant discoveries was that their findings challenged accepted wisdom around discounts. In retail, and more broadly, the standard logic tells you that if a 40% discount performs well, then a 70% discount must perform even better. It’s understood that the more money the consumer saves, the more likely they are to purchase the item in question.

However, Jacquard’s findings suggested that this belief was mistaken. Their research found, in fact, that discounts above 60% show basically no benefit compared to offers in the 30-50% range. In fact, the best performing discount range is 40-49% off, with 30-39% also doing well. If you go higher than 60%, you won’t see any additional lift in engagement.

This is partially due to increasingly savvy consumers. A huge discount - say, 75% - suggests that there might be an issue with the item, and that the retailer might be trying to clear stock for a multitude of reasons (none of them good). There are a dozen more questions as to why there might be such an extreme discount on offer, but by the time anyone’s pondered these, their thumbs have already taken them way past your email.

On the flip side, however, any discount under 10% actually hurts engagement during the holidays. It can seem insulting. Again, savvy shoppers know that bigger discounts lie in wait at other retailers and will be prepared to go searching. Offering a discount that’s less than 10% is patronising: it reads like you don’t understand the financial pressure people are under.

Another convention Jacquard’s findings challenged was the notion of ‘personalisation’ as a panacea. It’s long been held to be true in marketing circles that personalising an email - adding customer first names, and phrases like ‘for you’ - is a surefire way to ensure your subject line cuts through the noise. Jacquard’s study suggested that actually wasn’t the case, and that, in fact, personalisation of this nature can actually reduce engagement during the holidays.

This doesn’t, however, mean that personalisation is entirely dead. Instead, it suggests that lazy, shallow personalisation now reads as transparently robotic. Consumers are familiar with filling out forms for most retailers they engage with - having a first name on file isn’t going to impress anyone. And so when brands appear after years of radio silence, to send emails that name old customers, it feels distinctly like you’ve been plucked from a database compiled by an impersonal algorithm.

Actual personalisation is more than just a name. It’s context. Building an actual relationship with a customer, or offering meaningful personalisation beyond the purely cosmetic - suggestions that are genuinely helpful, an understanding of the customer’s profile - will always be valuable. Jamming a first name into a subject line and praying for the best, won’t.

During the holidays - November and December namely - urgency tactics take a huge 75% dip in effectiveness, according to the data. Every brand is using them, so they just become meaningless. If everything’s urgent, then nothing can be. Besides, it’s obvious that things are urgent. It’s Christmas - just stepping into any shop will tell you that time is running out. There are enough reminders that the holiday season is upon us: long queues of grumpy shoppers on the weekend; glassy-eyed, overworked staff behind cash registers; public transport packed with holiday shoppers clutching oversized plastic bags. Adding urgent language on top of all this just adds to the needless stress.

The Jacquard study also discovered some fun linguistic quirks in holiday email subject lines. A single question mark was found to drive engagement four times higher than an exclamation mark during the holidays.

Question marks feel like conversation. They’re dynamic: they force the reader to respond, even if it’s just mentally formulating an answer. Exclamation marks, on the other hand, just add to the general frenetic noise of a holiday-season inbox. In the same way reading a subject line in all caps can feel as if you’re being screamed at, too-liberal use of exclamation marks can feel shouty and annoying. Especially in the context of other brands using exclamation marks - the noise only builds, and digital migraines aren’t far away.

Emoji use was also found to be vital. The Christmas tree emoji is the single most effective tactic Jacquard measured in their entire study. It outperforms the exclamation mark by 13 times. However, on the other hand, the snowflake emoji actively hurt engagement.

The difference is about specificity and emotional resonance. The meaning of a Christmas tree is clear: it’s festive, familiar, and nostalgic. It conjures images of families huddled on couches or gathered around crackling fireplaces. A snowflake just refers to a season. It’s vague, and unclear. Instead of cultivating a hit of Yuletide warmth, the snowflake just reads as cold and impersonal.

The real conclusions from Jacquard’s study are twofold. Marketers need to be more rigorous in challenging accepted conventions around holiday marketing - simply falling back into playing the hits can actively damage outreach towards the end of the year. Secondly, marketers should be cautious not to underestimate the consumer. Around Black Friday and Christmas, more than any other period, consumers are subjected to a blizzard of marketing efforts that try everything: tugging at heartstrings, impressing urgency, and calling them by name.

The inbox is a conversation. Brands that treat it as such will still be able to iterate and adapt in ten years time. The ones that don’t may find themselves just adding to the noise - and fading to static.

Image: Justin Lim / Unsplash

Read next: From Google to Chat: The Shift in Online Searching Habits
by Web Desk via Digital Information World

From Google to Chat: The Shift in Online Searching Habits

Three years ago, if someone needed to fix a leaky faucet or understand inflation, they usually did one of three things: typed the question into Google, searched YouTube for a how-to video or shouted desperately at Alexa for help.

Today, millions of people start with a different approach: They open ChatGPT and just ask.

I’m a professor and director of research impact and AI strategy at Mississippi State University Libraries. As a scholar who studies information retrieval, I see that this shift of the tool people reach for first for finding information is at the heart of how ChatGPT has changed everyday technology use.

Change in searching

The biggest change isn’t that other tools have vanished. It’s that ChatGPT has become the new front door to information. Within months of its introduction on Nov. 30, 2022, ChatGPT had 100 million weekly users. By late 2025, that figure had grown to 800 million. That makes it one of the most widely used consumer technologies on the planet.

Surveys show that this use isn’t just curiosity – it reflects a real change in behavior. A 2025 Pew Research Center study found that 34% of U.S. adults have used ChatGPT, roughly double the share found in 2023. Among adults under 30, a clear majority (58%) have tried it. An AP-NORC poll reports that about 60% of U.S. adults who use AI say they use it to search for information, making this the most common AI use case. The number rises to 74% for the under-30 crowd.

Traditional search engines are still the backbone of the online information ecosystem, but the kind of searching people do has shifted in measurable ways since ChatGPT entered the scene. People are changing which tool they reach for first.

For years, Google was the default for everything from “how to reset my router” to “explain the debt ceiling.” These basic informational queries made up a huge portion of search traffic. But these quick, clarifying, everyday “what does this mean” questions are the ones ChatGPT now answers faster and more cleanly than a page of links.

And people have noticed. A 2025 U.S. consumer survey found that 55% of respondents now use OpenAI’s ChatGPT or Google’s Gemini AI chatbots about tasks they previously would have asked Google search to help them with, with even higher usage figures for the U.K. Another analysis of more than 1 billion search sessions found that traffic from generative AI platforms is growing 165 times faster than traditional searches, and about 13 million U.S. adults have already made generative AI their go-to tool for online discovery.

This doesn’t mean people have stopped “Googling,” but it means ChatGPT has peeled off the kinds of questions for which users want a direct explanation instead of a list of links. Curious about a policy update? Need a definition? Want a polite way to respond to an uncomfortable email? ChatGPT is faster, feels more conversational and feels more definitive.

At the same time, Google isn’t standing still. Its search results look different than they did three years ago because Google started weaving its AI system Gemini directly into the top of the page. The “AI Overview” summaries that appear above traditional search links now instantly answer many simple questions – sometimes accurately, sometimes less so.

But either way, many people never scroll past that AI-generated snapshot. This fact combined with the impact of ChatGPT are the reasons the number of “zero-click” searches has surged. One report using Similarweb data found that traffic from Google to news sites fell from over 2.3 billion visits in mid-2024 to under 1.7 billion in May 2025, while the share of news-related searches ending in zero clicks jumped from 56% to 69% in one year.

Google search excels at pointing to a wide range of sources and perspectives, but the results can feel cluttered and designed more for clicks than clarity. ChatGPT, by contract, delivers a more focused and conversational response that prioritizes explanation over ranking. The ChatGPT response can lack the source transparency and multiple viewpoints often found in a Google search.

In terms of accuracy, both tools can occasionally get it wrong. Google’s strength lies in letting users cross-check multiple sources, while ChatGPT’s accuracy depends heavily on the quality of the prompt and the user’s ability to recognize when a response should be verified elsewhere.

OpenAI is aiming to make it even more appealing to turn to ChatPGT first for search by trying to get people to use a browser with ChatGPT built in.

Smart speakers and YouTube

The impact of ChatGPT has reverberated beyond search engines. Voice assistants, such as Alexa speakers and Google Home, continue to report high ownership, but that number is down slightly. One 2025 summary of voice-search statistics estimates that about 34% of people ages 12 and up own a smart speaker, down from 35% in 2023. This is not a dramatic decline, but the lack of growth may indicate a shift of more complex queries to ChatGPT or similar tools. When people want a detailed explanation, a step-by-step plan or help drafting something, a voice assistant that answers in a short sentence suddenly feels limited.

By contrast, YouTube remains a giant. As of 2024, it had approximately 2.74 billion users, with that number increasing steadily since 2010. Among U.S. teens, about 90% say they use YouTube, making it the most widely used platform in that age group. But what kind of videos people are looking for is changing.

People now tend to start with ChatGPT and then move to YouTube if they need the additional information a how-to video conveys. For many everyday tasks, such as “explain my health benefits” or “help me write a complaint email,” people ask ChatGPT for a summary, script or checklist. They head to YouTube only if they need to see a physical process.

You can see a similar pattern in more specialized spaces. Software engineers, for instance, have long relied on sites such as Stack Overflow for tips and pieces of software code. But question volume there began dropping sharply after ChatGPT’s release, and one analysis suggests overall traffic fell by about 50% between 2022 and 2024. When a chatbot can generate a code snippet and an explanation on demand, fewer people bother typing a question into a public forum.

So where does that leave us?

Three years in, ChatGPT hasn’t replaced the rest of the tech stack; it’s reordered it. The default search has shifted. Search engines are still for deep dives and complex comparisons. YouTube is still for seeing real people do real things. Smart speakers are still for hands-free convenience.

But when people need to figure something out, many now start with a chat conversation, not a search box. That’s the real ChatGPT effect: It didn’t just add another app to our phones – it quietly changed how we look things up in the first place.

Deborah Lee, Professor and Director of Research Impact and AI Strategy, Mississippi State University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Read next:

• New Report Ranks the Most Invasive Shopping Apps of 2025

• Young Adults Left Social Media for a Week and Ended Up Using Their Phones the Same Way

by Web Desk via Digital Information World

New Report Ranks the Most Invasive Shopping Apps of 2025

A new review of data practices across the most downloaded shopping apps in the United States shows how sharply companies differ in the way they handle user information. Tenscope examined the top one hundred shopping apps on the Apple App Store in November 2025 and scored each one on how much data it collects, shares with advertisers, or uses for its own promotions. The result is a ranking that places some major brands at the very top of the invasiveness scale while others collect almost nothing.

Foot Locker leads the list with a score of one hundred. It gathers nine types of information for cross platform tracking and sends thirteen categories of user data to advertising partners. It also uses fifteen types of data for its own marketing. The gap becomes clear when Foot Locker is compared with Dick’s Sporting Goods. Both operate under the same parent company, yet Dick’s scores only three and collects nothing for tracking across outside apps or sites.

The study shows that popularity does not predict how aggressively an app collects information. Temu is the second most popular shopping app in the country and has a score of two. Shop by Shopify is the third most popular and has a score of zero. These two apps collect only limited data and avoid the tracking practices seen in many higher scoring apps. Meanwhile Foot Locker ranks eighty five in popularity despite the highest score in the review. Nordstrom Rack and AE + Aerie also sit outside the top fifty while holding scores well into the nineties. Tenscope points to a growing trend where heavy data collection may push users away rather than strengthen engagement.

The analysis highlights how often user information is shared with outside advertisers. Twenty four apps share purchase history. This includes Depop, eBay, Macy’s, Mercari, and Etsy. Nineteen apps share email addresses with advertising networks. Ten share physical addresses. Only one app sends user photos to advertisers and that is AE + Aerie. Tenscope also found that twenty nine apps use location data for their own marketing and eight share location with external partners.

Cross platform tracking continues to play a major role in how apps build user profiles. Nine apps collect browsing history across outside websites and apps. Seventeen collect search history. These practices expand each app’s view far beyond what happens within its own interface. Foot Locker stands out again. The app collects browsing history, search details, address information, purchase activity, and usage data, then pushes much of this to advertisers.

Some of the lowest scoring apps show that a full shopping experience does not require invasive behavior. Four, Elfster, Hobby Lobby, Craigslist, and Shop by Shopify score zero. LTK follows with one. Temu, Best Buy, and Lowe’s sit at two. Dick’s Sporting Goods holds a score of three. These results show that many brands are able to run core features without building extensive data profiles.

Full list:

App Name	Tracking Data	3rd Party Data	1st Party Data	Score
Foot Locker	9	13	15	100
Nordstrom Rack	8	13	22	96
AE + Aerie	9	11	19	95
Kohl's	6	17	18	95
Nordstrom	7	13	23	90
Ace Hardware	9	8	17	85
Depop	10	7	7	85
Walgreens	8	8	8	76
eBay	5	10	12	65
Cars.com	5	10	10	65
Mercari	6	8	6	63
ALO	7	5	8	61
OfferUp	5	8	8	58
Ibotta	5	7	13	56
ALDI USA	4	9	10	55
Macy's	3	9	14	51
Etsy	4	8	2	50
Target	3	8	12	47
Bath & Body Works	4	6	11	47
Kroger	3	7	13	44
adidas	6	1	11	43
Sephora US	4	5	11	43
StockX	4	5	7	42
PetSmart	3	6	11	40
Victoria's Secret PINK Apparel	4	3	13	38
Victoria's Secret	4	3	12	38
Ulta Beauty	6	0	0	37
Gymshark	5	1	7	36
CarGurus	2	6	16	36
Chewy	5	0	13	35
GOAT	5	0	9	34
H&M	5	0	2	31
Alibaba	3	3	11	31
Harbor Freight Tools	5	0	0	31
Groupon	1	7	8	30
Walmart	3	3	4	29
Nike	2	4	12	28
Klarna	2	4	11	28
Quince	4	0	10	28
Poshmark	4	0	10	28
Fabletics	4	0	7	27
Fashion Nova	3	2	0	25
Bed Bath & Beyond	3	1	9	24
Aritzia	3	0	14	23
CARFAX	3	1	2	22
Official Pandora KR	3	0	6	20
T.J.Maxx	3	0	3	19
Whatnot	2	1	13	19
Sezzle	3	0	2	19
Capital One Shopping	2	1	10	19
Ralph Lauren	2	1	3	16
Safeway Deals & Delivery	1	3	2	16
Wayfare	2	0	10	15
Afterpay	2	0	10	15
lululemon	0	4	9	15
Affirm	2	0	8	15
UNIQLO	1	2	7	15
Sam's Club	1	1	14	14
Phia	2	0	3	13
Gap	1	1	12	13
Aeropostale	2	0	1	13
Athleta	1	1	11	13
Old Navy	1	1	11	13
IKEA	1	1	7	11
SKIMS	1	0	15	11
Vinted	1	1	4	11
Babylist Baby Registry	1	0	12	10
Costco	1	1	2	10
Crocs	1	1	1	10
Amazon	0	2	11	10
Abercrombie & Fitch	1	0	10	9
DHgate	1	1	0	9
Hollister	1	0	10	9
The Home Depot	1	0	10	9
Nespresso Store	1	0	8	9
Taobao	1	0	6	8
Publix	1	0	6	8
Carvana	1	0	5	8
Zara	1	0	5	8
Fetch	1	0	3	7
SHEIN	1	0	3	7
Michaels Store	1	0	2	7
BJs Wholesale Club	1	0	1	7
Carter's	1	0	0	6
Circle K	1	0	0	6
Dollar General	1	0	0	6
KashKick	1	0	0	6
AliExpress	1	0	0	6
Zip	0	0	11	3
Rakuten	0	0	11	3
Dick's Sporting Goods	0	0	9	3
Lowe's	0	0	6	2
Best Buy	0	0	6	2
Temu	0	0	5	2
LTK	0	0	4	1
Shop	0	0	1	0
craigslist	0	0	0	0
Hobby Lobby	0	0	0	0
Elfster	0	0	0	0
Four	0	0	0	0

Tenscope based its scoring on Apple’s privacy labels. These disclosures require developers to report the types of data they collect and how that data is used. Each data point was weighted based on how intrusive the practice is. Cross platform tracking carried the highest weight. Scores were then normalized to produce final results on a scale from zero to one hundred. All data reflects disclosures made in November 2025.

Key Questions Raised by the Findings:

The report also prompted DIW to reach out for expert context. Jovan, the co-founder of Tenscope, shared additional insight on how these findings fit into the wider privacy landscape.

One focuses on how a high invasiveness score may influence customer loyalty, install rates, or the general trust people place in a brand. Another asks why some companies continue to rely on heavy data collection even when most users show a clear preference for apps that gather less information. In response, Jovan explained that: "The core problem is consumer awareness: most people know apps collect data, but few understand the true scope. This lack of awareness is the same reason why companies follow these practices - they don't have to change since they are not receiving pushback from the customers. That was one of the reasons we did this study - to shed light on all the unnecessary (and invasive) data that shopping apps collect in the peak shopping season." 

DIW also asked about the study’s limits, noting that an app can look less invasive in this ranking because of how data is reported while still collecting information through channels not reflected here. For example, the picture may also change on Android or other platforms, which creates possible blind spots. In response, Jovan explained that "The primary limitation of this study is that it only examines apps found on the App Store, and Apple's privacy standards are much higher than Google's or those of other platforms. This means the same app could potentially collect significantly more data on the Google Play Store."

Lastly, DIW also asked how companies should prepare for upcoming changes in privacy rules and rising user expectations in the year ahead. And the cofounder explained that, "The data economy has grown faster than the older laws anticipated (new technologies often advance more quickly than safeguards, e.g. AI), so regulators are taking a more active role. If changes are coming anyway, it makes sense for companies to get ahead of these and use this as a marketing advantage, for example, by positioning themselves as “data responsible”. For consumers, the best defense is to be vigilant. Check app permissions, turn off anything you don’t need (especially location), and in general go for brands which are transparent about their data practices."

Notes: This post was edited/created using GenAI tools with human oversight.

Read next: U.S. Creator Economy Spending Expected to Hit 37 Billion Dollars in 2025 as Growth Outpaces Media Industry
by Irfan Ahmad via Digital Information World