71% of Apps Expose User Data: Security Risks Revealed

The Breakdown of Digital Privacy: Why Consumer Trust is Eroding

A class-action lawsuit filed in California on July 17, 2026, by Anthony Alvarez alleges that Apple’s “Hide My Email” feature for iCloud+ subscribers fails to protect user anonymity, exposing real email addresses to third parties despite a promised security patch. This legal challenge, combined with recent findings that a majority of analyzed iOS apps leak sensitive user data, signals a growing crisis in mobile privacy standards.

The Failure of “Hide My Email”

Apple’s “Hide My Email” service is marketed as a core privacy benefit for paid iCloud+ subscribers. However, the feature is currently the subject of a lawsuit alleging false advertising and violations of consumer protection laws.

Security researcher Tyler Murphy first identified the vulnerability in June 2025. While Apple acknowledged the flaw in July 2025 and deployed a patch in March 2026, subsequent testing indicates the issue remains unresolved. According to the court filing, every generated email alias remains vulnerable to de-anonymization, allowing unauthorized parties to uncover the true addresses linked to these accounts. Apple has not yet issued a public statement regarding the pending litigation or the technical status of the fix.

Did you know?
The Mozilla Foundation recently audited six popular cycle-tracking apps and found that “Stardust” shared sensitive health information, including pregnancy status, with third-party analytics provider RudderStack, directly contradicting its privacy marketing.

Systemic Data Leaks in the iOS Ecosystem

The litigation against Apple represents a broader pattern of data insecurity within the iOS app ecosystem. A comprehensive study of iOS applications found that nearly three-quarters of these programs expose sensitive user data due to improper configurations or security oversights.

A recent example occurred on Saturday, when the “Photo Vault” app was found to be leaking user metadata in real-time. The leak stemmed from a misconfigured, passwordless Firebase database. This exposure compromised metadata from thousands of photo albums, dozens of stored passwords, and over 80 private notes. Security experts noted that the database configuration allowed unauthorized users to monitor uploads and potentially hijack user accounts.

Corporate Data Practices Under Scrutiny

Beyond app-level vulnerabilities, large-scale data mismanagement continues to result in significant financial penalties. The genetic testing service 23andMe, through its successor entity Chrome Holding Co., recently agreed to an €18 million settlement with dozens of U.S. state attorneys general.

This settlement addresses a 2023 breach where attackers stole the genetic data of millions of customers. The breach began with “credential stuffing,” where attackers used stolen login information from other services to access a small number of accounts. Once inside, they exploited the “DNA Relatives” feature to mass-scrape data from millions of other profiles. Total costs for the company, including previous class-action settlements and international fines, now exceed €50 million.

I FEEL YOU S4E5 : Anthony Alvarez and Using Art to Address Upstream Problems

Risks of Excessive App Permissions

Permission management remains a critical point of failure for mobile privacy. The ride-sharing service Uber recently faced criticism after it was discovered that its iOS app held an exclusive, high-level permission to record the user’s screen.

Uber stated that the permission was intended for map rendering and had not been utilized for an extended period. Following public disclosure by security researchers, the company pledged to remove the permission. This incident highlights the risk of “permission creep,” where apps retain elevated system access long after the original technical necessity has passed.

Frequently Asked Questions

What should I do if I use a period-tracking app?
The Mozilla Foundation recommends using apps like “Euki” that prioritize local data storage, keeping your health information on your device rather than on external servers.

How did attackers access 23andMe data?
Attackers used “credential stuffing” to gain entry to accounts and then leveraged the “DNA Relatives” feature to harvest data from the accounts of millions of other users.

Is “Hide My Email” safe to use right now?
According to the July 2026 lawsuit filed by Anthony Alvarez, current tests show that all aliases generated by the service remain vulnerable to de-anonymization.

Pro Tip: Regularly audit your app permissions in your phone’s settings. If an app has access to your location, camera, or screen recording features that it does not actively need, revoke those permissions immediately.

*Have you encountered unexpected data sharing in your favorite apps? Share your experiences in the comments below or subscribe to our newsletter for the latest updates on digital privacy and consumer protection.*

Leave a Comment