Can we hide on Truecaller?

The information portal for safe cell phone use

What can “Truecaller” do?

The Truecaller app is a telephone app with many additional functions. Above all, users are shown information about unknown numbers and SMS and can block them. For this, Truecaller relies on a crowd-sourcing solution. The app collects the phone numbers and associated names of all users in a database. In addition, you can upload phone numbers and information about numbers yourself.

As soon as a Truecaller user receives a call or SMS, the app compares the number with the database, displays the information that is stored for the number or blocks it if necessary. Truecaller also offers a feature called Truecaller Pay, which you can use to make small monetary transactions.

Truecaller places advertisements, the paid Pro version is ad-free and has additional functions.

Trucaller has been downloaded more than 100 million times from the Play Store. In some Android phones (for example Wileyfox), Truecaller is the pre-installed phone app. So you can't easily uninstall it.

Truecaller is offered by the Swedish company True Software Scandinavia AB.

Our test at a glance

Anyone who uses the Truecaller app sends their own telephone number and user name to the provider's database. Other users of the app are automatically shown their own username when they call. That is the basic function and the added value of the app - but you should be aware of it.

The following points are much more problematic:

  1. In the app, users can add "tags" to phone numbers from the address book or the call list and give names to unknown numbers. Anyone who does this loads the contact and their name into the Truecaller database and makes them available to all other users. If you don't want that, you have to change an attitude. Firstly, this contradicts the principle of "Privacy by Default" and the process is so confusing that you don't know exactly when a contact will be uploaded and when not.
  2. Facebook receives data from the app, including the advertising ID. The data protection declaration refers to third-party providers, but does not name Facebook.
  3. The app transmits your own telephone number before you have given your consent.

The company compares all incoming and outgoing calls with its own database and uploads the numbers. That may sound like an assault, but the "caller information" service can hardly work any other way. Telephone numbers from the address book are also uploaded once in order to compare them with the database.

In response to a request from mobilprüf.de, the provider assured that the numbers of communication subscribers who do not use Truecaller will be deleted from the service's servers in both cases immediately after the comparison.

The app makes every effort to clearly explain the data transfer and to obtain effective consent. However, the data protection declaration is only in English and important information is missing there (see chapter on data protection).

In contrast to what was probably the case in the past, the app does not upload its own address book in order to enrich the database with it.

Our conclusion: Truecaller has probably the most complete "caller information" of all thanks to its huge database. But at a high price. If you simply want to detect and block spam and advertising calls, it is better to use other services that require less private information.

Our test in detail

We tested the “Trucaller - Caller ID” app in version 9.4.10 that we downloaded from the Play Store. This test does not provide any information about deviating versions.

The technical analysis was carried out by Mike Kuketz.

What data can the app access?

The authorizations are extensive but plausible for the range of functions - except for the "Location" authorization. The app will not work without access to the contacts - although this is not necessary for the core function.

camera

  • Take pictures and videos

phone

contacts

SMS

microphone

Storage

Location

miscellaneous

Which data does the app transfer to whom?

All transmitted data is TLS-encrypted, which means that third parties cannot read along on the way. The app dispenses with additional security through Cert Pinning.

Truecaller (Main service). Immediately after starting, the app sends the following information to the provider:

These data are transmitted even before the user has consented to the data protection declaration. When setting up the app, Truecaller asks for the following information, which is also sent to the provider's server:

  • Surname, first name (mandatory field)
  • Gender (optional)
  • full residential address (optional)
  • User picture (optional)
  • Employer and job title (Optional)
  • Social media: email, Facebook ID, Twitter ID (optional)
  • Telephone number (mandatory field, will be verified)

When there is an incoming call, Truecaller transmits:

When you call someone yourself, Truecaller transmits:

  • Call start time and end time
  • the phone number called

Highly problematic: If the user edits a contact locally on the device or adds a new one, the app then transmits the phone number of this contact to Trucaller. There is no notification of this. It is completely unclear what this data transfer is good for.

Facebook (advertising and analysis): The Truecaller app uses the free Facebook analysis service and advertises via the Facebook advertising network. Information from the app is sent to Facebook, which is linked to existing user data on Facebook.

Immediately after starting the app and at recurring intervals, the following information, among other things, is transmitted to the Facebook advertising network - regardless of whether you have a Facebook account or not:

  • The Google advertising ID
  • Name and version of the app (Truecaller)
  • Standard information (Android version, device model and manufacturer, display resolution, country, time zone)
  • Usage data, for example when you open the app, which functions you use in the app and when you close it.

Crashlytics (analysis): Service provider who analyzes apps for errors and crashes, but also carries out usage analyzes. Belongs to the Google group. The following information is transmitted to the service:

  • Standard information (device manufacturer and model, Android version and build number)
  • Information about the installed app (installation ID)
  • Google advertising ID
  • Android ID (unique identification number)

According to Google's own guidelines, no service should request the last two identification numbers at the same time. It is completely incomprehensible why Crashlytics still practices this query.

Firebase Analytics from Google (App-Measurement.com): Firebase provides app modules for certain functions free of charge. Firebase is part of the Google group. The Analytics module is a free tool for user analysis in iOS and Android apps. The app transfers the following data to the service:

  • Standard information (Android version, device model, build number)
  • Note: Further information and data transmissions are also encrypted and cannot be viewed.

Push service (Google): The “Google Service Framework” is required to transmit push notifications (GCM). Among other things, the following information goes to the service:

  • Name and version of the app (Truecaller)

What does the privacy policy say?

The privacy policy is linked in the Play Store and can be found in the app under Menu -> Settings -> About. There is only an English version, so that German users will find it difficult to read.

The English version explains how to share and provide your own telephone number in a clear and understandable way. It also becomes clear that the service supplements its own information with purchased data. All data and identification numbers collected are also mentioned.

The options for viewing and deleting your own data are clearly described. Great: There is an interface within the app to view all the data that Truecaller has saved about you. It is very revealing and very simple.

What is missing: The fact that data goes to third parties is mentioned, but the service providers involved, especially Facebook, are not mentioned. This is particularly problematic in the case of Facebook, as the group can assign the collected data and thus deanonymize it.

#AppTest #telephoning
Information has changed or do you have a hint for us on this subject?
Write to us: [email protected]

More app tests on mobilsicherheit.de