Last weekend I sat down with my own phone, scrolled through every single app I had installed, and ran each one through a static analyzer. No filtering, no curating. The flashlight my partner installed five years ago. The travel app I used for one trip in 2024. The bank. The newspaper. All of it.

47 apps total. Here is what came out the other side.

The numbers

  • 312 unique tracker SDKs detected across all 47 apps
  • 6.6 average trackers per app
  • 2 apps had zero trackers (both calculator clones)
  • 1 app had 19 (a free puzzle game I download once and forgot about)
  • 41 apps requested at least one “dangerous” permission
  • 8 apps wanted access to my contacts and could give no reason for it

That last number is the one that bothered me most. Eight apps. None of them were messaging apps or anything where contacts are obviously the point.

The usual suspects

The same names showed up over and over again. Firebase. Crashlytics. Facebook Login. Adjust. AppsFlyer. None of them are illegal. Most of them are technically useful to the developer in some way. The problem is not that any one tracker is malicious. The problem is that you opened 47 apps and silently agreed to be reported on by 30+ third parties, none of whom you have ever heard of.

The committee analogy keeps coming back to me. Nobody on that committee is a villain. They are just doing their small part of a much larger picture, and they were all hired without your input.

The flashlight

My partner’s flashlight had 11 trackers. Eleven. For an app that turns the camera LED on and off.

I checked the developer. Single-person studio in Eastern Europe. The app makes its money by selling installs to ad networks, which is fine, but the SDKs they ship to do that include four different attribution platforms, two analytics providers, an A/B testing framework, an in-app messaging tool, and a crash reporter. Each one is a network call, a device fingerprint, a small fact about my partner being shared somewhere they cannot trace.

We deleted it. The phone has a flashlight built in.

What I changed

After the audit:

  • Deleted 8 apps outright. Not because they were spyware, just because the cost-benefit was wrong now that I could see the cost.
  • Disabled location for three apps that did not need it. The weather app does not need real-time location. It needs the city.
  • Replaced two apps with privacy-respecting alternatives. The two were a calendar (replaced with the OS one) and a podcast app (replaced with one that does not phone home).
  • Stopped installing apps casually. Now I run a scan first.

What I am not going to tell you

I am not going to tell you which apps to delete. The audit is personal. An app that bothers me may be fine for you. The point is the audit itself. You cannot make a real decision about an app you have never looked inside.

If you have an Android phone and you have never done this, set aside 20 minutes this week. Pick 5 apps you open every day. Find out what they actually contain. Decide whether you still want them.

The number you come back with will probably surprise you. Mine did.