Popular apps running on both Android and iOS have been found to be leaking data including names and email addresses to at least two third parties.
An MIT report, testing 55 of the most popular apps from both iOS and Android, researchers found that names were shared with a third party by 73 percent of Android apps and 16 percent of iOS apps, with the same figures for email addresses.
For location data, iOS was leakier, with 47 percent sharing data compared to 33 percent on Android.
Android also leaked to more parties, with potentially sensitive data going to 3.1 third-party domains, compared to iOS at 2.6.
The domains that the data was leaked to included Google.com and Googleapis.com, with 36 percent and 18 percent of apps respectively. Apple.com received data from 17 percent and Facebook.com from 14 percent.
93 percent of Android apps leaked to the domain safemovedm.com, which the researchers claimed was "likely due to a background process" on the OS.
For example, Facebook leaked data to 2 third parties, Facebook Messenger and eBay to 1, and health app WebMD leaked data to 3 third parties. Glide leaked to 8 third parties, Map My Walk to 9 and Text Free to 11.
Some apps, however, such as Amazon and FitBit only sent data to the correct domain.
Crucially, these mobile apps do not require any permissions to leak this data.
The report said that "the current permissions systems on iOS and Android are limited in how comprehensively they inform users about the degree of data sharing that occurs".
It concluded by suggesting three possible techniques for improving transparency around and limiting unintended data sharing; one was to send false data in response to app requests, two to allow users to opt out of data collection and three to include information about third parties that might receive data within the app store.