| A | B | C | D | E | F | G | H | I | J | K | L | M | N | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | ChatGPT Clone Apps Privacy Risks | |||||||||||||
2 | Author: Simon Migliano | |||||||||||||
3 | Report: ChatGPT Clone Apps Privacy Risks | |||||||||||||
4 | Top10VPN.com | |||||||||||||
5 | ||||||||||||||
6 | App Name | APK Name | Findings Highlights | Play URL & Archive | Developer | Installs | Status | Pricing | AI Technology | Risky Permissions | Potentially Risky Functions | Privacy Policy URL & Archive | Privacy Policy Issues | Mitmproxy Results |
7 | AI Chat Companion | com.openaibot.chat | Risky permissions: Record audio but doesn't work in app Risky functions: location, camera Data sharing policy: allows for detailed 1P data collection and 3P sharing. Security risk re email correspondence. Data sharing tests: 3P requests | https://play.google.com/store/apps/details?id=com.openaibot.chat&hl=en&gl=US https://web.archive.org/web/20230110225214/https://play.google.com/store/apps/details?id=com.openaibot.chat&hl=en&gl=US | AI Chat | 100,000 | Available | Unlimited messages: $9.99 per month | OpenAI | RECORD_AUDIO | LocationKt location.getLongitude/Latitude Contex.Compat import android.hardware.camera2.CameraManager | https://openaibot.chat/privacy-policy/ https://web.archive.org/web/20230111111751/https://openaibot.chat/privacy-policy/ | Automatically collect: - Log Data (IP address, browser type and settings, the date and time of your request, and how you interacted with the site.) - Usage Data - Device Data Site does not react to Do-Not-Track Signals Personal Information used to conduct research, which may be internal or shared with third parties, published, or made generally available. Personal Info can be shared without notice with Vendors and Service Providers, and during Business Transfers From the Security Section: "In particular, emails sent to or from us may not be secure. Therefore, you should be careful when deciding what information to send to us via the service or email. " | 3P requests: revenuecat |
8 | TalkGPT - Talk to ChatGPT | com.oncar.talkgpt | Risky permissions: Record audio but doesn't work in app; coarse & fine location Risky functions: location (fine/coarse) in Bytedance SDK with permission present Data sharing policy: intrusive collection 1& 3P. Poor quality policy. Data sharing tests: intrusive collection & sharing, device fingerprinting, IP address | https://play.google.com/store/apps/details?id=com.oncar.talkgpt&hl=en&gl=US https://web.archive.org/web/20230111115258/https://play.google.com/store/apps/details?id=com.oncar.talkgpt&hl=en&gl=US | TweetsOnGo | 100,000 | Available | Ad free tier available but no price shown before clicking agree button | OpenAI | RECORD_AUDIO ACCESS_FINE_LOCATION ACCESS_COARSE_LOCATION | Bytedance SDK address.getLatitude address.getLongitude address.getLocality() Amazon Ads SDK getLocation plus other location functions in 3P ad SDKs and 1P components | https://www.dominapp.co.il/blueto/privacy_policy.html https://web.archive.org/web/20230111120337/https://www.dominapp.co.il/blueto/privacy_policy.html | Playstore Developer listed as TweetsOnGo, referred to as BlueTo in Privacy Policy, contact email has no references to either: info@number1.co.il Personal Data Collected: Contact List, Call Log, Current Location Usage Data (the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data) Employ 3P Service Providers | Collects & shares IP address (1P & 3P everestop.io) Device fingerprinting: FB, adcolony, everestop.io, criteo, Google |
9 | Open Chat - AI Chatbot App | com.smartwidgetlabs.chatgpt | Risky permissions: None Risky functions: location, IP address verification, camera Data sharing policy: intrusive collection 1& 3P. Short/generic policy. Data sharing tests: fingerprinting (App Adjust) | https://play.google.com/store/apps/details?id=com.smartwidgetlabs.chatgpt https://web.archive.org/web/20230112105216/https://play.google.com/store/apps/details?id=com.smartwidgetlabs.chatgpt | Smart Widget Labs Co Ltd | 100,000 | Available | Weekly: £4.99 Monthly: £8.99 Lifetime: £58.99 | OpenAI | None | ExifInterface location.getLongitude/Latitude/Provider TAG_GPS_DATESTAMP TAG_GPS_TIMESTAMP OkHostnameVerifier verifyIpAddress Freshchat chat_camera_permissions_granted/not_granted chat_capture_from_camera | https://smartwidgetlabs.com/privacy-policy/ https://web.archive.org/web/20230112105325/https://smartwidgetlabs.com/privacy-policy/ | Info collected: your device ID, device type, geo-location information and connection information, statistics on page views, traffic to and from the sites, ad data, IP address, and standard web log information Info collected through interaction with site, services, content and advertising "We may collect personal information about you when you use and access our website. While we do not use browsing information to identify you personally, we may record certain information about your use of our website, such as which pages you visit, the time and date of your visit, and the internet protocol address assigned to your computer. " "We collect your photograph, with your expressed permission, to generate your content. We do not use your photograph or data for any other purpose" Rather short and generic policy | Fingerprinting: app.adjust.com |
10 | GPT AI Chat - Chatbot assistant | com.mobteq.aiassistant | Risky permissions: None Risky functions: Location, write to device, IP address-related Data sharing policy: 1P data collection (inc. search queries) & limited 3P sharing Data sharing tests: 3P requests (Google), some device info shared | https://play.google.com/store/apps/details?id=com.mobteq.aiassistant&hl=en_GB&gl=US https://web.archive.org/web/20230111115217/https://play.google.com/store/apps/details?id=com.mobteq.aiassistant&hl=en_GB&gl=US | Mobteq | 50,000 | Available | Free | OpenAI | None | location.getLatitude() location.getLongitude() 16 references to external storage (ie device memory) 33 references to "IP address" ie VERIFY_AS_IP_ADDRESS | https://chatgptandroid.com/privacy_policy.html https://web.archive.org/web/20230112102222/https://chatgptandroid.com/privacy_policy.html | Two different email addresses listed: sageaitech@gmail.com (questions about personal info) and support@chatgptandroid.com (questions about privacy policy) Data Collected: IP Address, your device’s operating system, browser type, language, hardware type, mobile network, your unique device ID (persistent/non-persistent), Search Queries Uses 3P Services: Firebase Analytics | 3P requests: Google |
11 | ChatGPT AI Writing Assistant | com.open.ai.content.writer | Risky permissions: read/write storage & access photos Risky functions: read/write storage, image-related (permissions also present); location Data sharing policy: intrusive collection 1& 3P. Data sharing tests: IP address present in Google request | https://play.google.com/store/apps/details?id=com.open.ai.content.writer https://web.archive.org/web/20230111124212/https://play.google.com/store/apps/details?id=com.open.ai.content.writer | Mix App Developer | 50,000 | Available | 50 credits: £4.89 300 credits: £19.99 1,000 credits: £58.99 | OpenAI | WRITE_EXTERNAL_STORAGE READ_EXTERNAL_STORAGE ACCESS_MEDIA_LOCATION | private static final String[] f26871d = {"longitude", "latitude"} 18 functions referencing external storage 758 functions referencing images (only image functionality in app is a profile pic in settings) | https://docs.google.com/document/u/1/d/e/2PACX-1vRPAXcwA4c-VhtB1lrRKgB-3Ib_Dm0g2hgFqCFVS2aBM6qp4zPfASsCHT0f-8tugfJ9nWorcq_zGVKO/pub https://web.archive.org/web/20230111131534/https://docs.google.com/document/u/1/d/e/2PACX-1vRPAXcwA4c-VhtB1lrRKgB-3Ib_Dm0g2hgFqCFVS2aBM6qp4zPfASsCHT0f-8tugfJ9nWorcq_zGVKO/pub | Log, Usage and Device Data collected automatically - IP address, device information, browser type and settings and information about your activity in the App -Device and application identification numbers, location, browser type, hardware model Internet service provider and/or mobile carrier, operating system and system configuration information. Use personal info to deliver targeted advertising "May need to" share personal information for business transfers, business partners and an "offer wall" (Such an offer wall allows third-party advertisers to offer virtual currency, gifts, or other items to users in return for the acceptance and completion of an advertisement offer.) Does not respond to Do-Not-Track signals "We may disclose your personal information with our service providers pursuant to a written contract between us and each service provider." | Shares IP address with Google |
12 | ChatGPT 3: Chat GPT AI | com.ekmen.aiapp | Risky permissions: None Risky functions: location Data sharing policy: intrusive collection 1& 3P. Data sharing tests: Fingerprinting (appcentre), multiple 3P requests | https://play.google.com/store/apps/details?id=com.ekmen.aiapp&hl=en&gl=US https://web.archive.org/web/20230112075610/https://play.google.com/store/apps/details?id=com.ekmen.aiapp&hl=en&gl=US | Ekmen | 10,000 | Available | Free only (Patreon available) | OpenAI | None | LocationKt getLongitude and Latitude | https://www.freeprivacypolicy.com/live/9eb2d0e5-eebf-4b7f-a2f2-6d80ffb2144e https://web.archive.org/web/20230112101948/https://www.freeprivacypolicy.com/live/9eb2d0e5-eebf-4b7f-a2f2-6d80ffb2144e | Based in Turkey Collects Usage Data (eg. IP address, browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data etc.) Location info collected with permission (might be uploaded to the company or service provider's servers) Personal Information might be shared with service providers, business transfers, affiliates, business partners Doesn't specify a set length of time for which the data is retained (just says "as long as is necessary for the purposes set out in this Privacy Policy" and "comply with applicable laws") | Fingerprinting: appcentre 3Ps inc Twitter ads, applovin, satchelpulse, google, hubspot |
13 | ChatGPT | com.mediavents.chatgpt | Risky permissions: None Risky functions: location, camera, device ID Data sharing policy: allows for detailed 3P data sharing Data sharing tests: device fingerprinting (Google) | https://play.google.com/store/apps/details?id=com.mediavents.chatgpt&hl=en&gl=US https://webcache.googleusercontent.com/search?q=cache:uRcIrnCALpoJ:https://play.google.com/store/apps/details%3Fid%3Dcom.mediavents.chatgpt%26hl%3Den_GB%26gl%3DUS&cd=1&hl=en&ct=clnk&gl=uk&client=firefox-b-d | MediaVents Hindriks | 100,000 | Removed | Free | OpenAI | None | zzepm location.getLongitude/Latitude/Time/Accuracy Contex.Compat import android.hardware.camera2.CameraManager TelephonyManagerCompat sGetDeviceIDMethod | https://mediavents.nl/privacy_policy https://web.archive.org/web/20230111105749/https://mediavents.nl/privacy_policy | 3P data collection from: - Google Play Services - AdMob Log data collected through third party products: "IP address, device name, operating system version, the configuration of the app when utilizing our Service, the time and date of your use of the Service, and other statistics." May employ 3P Service Providers, which have access to users' personal information (however they are obliged to not disclose the info or use it for any other purpose | Shared device data with Google |
14 | Chatteo - Chat with AI | appinventor.ai_work24info.chatgp | Risky permissions: None Risky functions: writing to device Data sharing policy: allows for detailed 3P data collection and 3P sharing. Data sharing tests: device fingerprinting (Facebook) | https://play.google.com/store/apps/details?id=appinventor.ai_work24info.chatgpt&hl=en&gl=US https://web.archive.org/web/20230111104513/https://play.google.com/store/apps/details?id=appinventor.ai_work24info.chatgpt&hl=en&gl=US | Bitta&Testa | 100,000 | Available | 100 credits: £2.09 250 credits: £4.09 500 credits: £5.99 1,000 credits: £11.49 | Proprietary | None | 12 references to reading/writing to storage | https://bittatesta.com/chatteo-app-privacy-policy/ https://web.archive.org/web/20230111104757/https://bittatesta.com/chatteo-app-privacy-policy/ | 3P data collection from: - Google Play Services - AdMob - Google Analytics for Firebase - Google In App Purchases 3P erorr log data: IP address, device name, operating system version, the configuration of the app when utilizing our Service, the time and date of your use of the Service Based in Italy | Device fingeprinting: Facebook |
15 | ChatGPT: Chat with AI Chatbot | com.chatgpt.android | Risky permissions: None Risky functions: Location, camera Data sharing policy: allows for detailed 3P data collection and 3P sharing. Data sharing tests: Minor device data | https://play.google.com/store/apps/details?id=com.chatgpt.android&hl=en&gl=US https://webcache.googleusercontent.com/search?q=cache:9NIGyvZQhDkJ:https://play.google.com/store/apps/details%3Fid%3Dcom.chatgpt.android%26hl%3Den_GB%26gl%3DUS&cd=1&hl=en&ct=clnk&gl=uk&client=firefox-b-d | AKX Developers | 100,000 | Removed | No pricing data available | OpenAI | None | com.onesignal location.getLongitude p209oa.C7921l GeoPoint { latitude= p243r2.C8886a import android.hardware.camera2.CameraManager | https://akak699198.wixsite.com/chatgpt https://web.archive.org/web/20230111105654/https://akak699198.wixsite.com/chatgpt | Generic privacy policy 3P data collection from: - Google Play Services - AdMob - Google Analytics for Firebase 3P erorr log data: IP address, device name, operating system version, the configuration of the app when utilizing our Service, the time and date of your use of the Service Generic contact email: akak699198@gmail.com (based in India) | None notable |
16 | Open AI Chat Gpt - AI 360 | com.ai360 | Risky permissions: None Risky functions: Significant presence of adware SDKs Data sharing policy: intrusive 3P data collection Data sharing tests: None observed | https://play.google.com/store/apps/details?id=com.ai360 | Yukesh | 10,000 | Removed | Free | OpenAI | None | Packed with adware SDKs (Facebook, Google etc) | https://pages.flycricket.io/open-ai-chat-gpt-a-0/privacy.html https://web.archive.org/web/20230112102311/https://pages.flycricket.io/open-ai-chat-gpt-a-0/privacy.html | "I may require you to provide us with certain personally identifiable information, including but not limited to rave." ? Uses 3P services that may collect identifiable information -Google Play Services Logs collected through 3P products: IP address, device name, operating system version, the configuration of the app when utilizing my Service, the time and date of your use of the Service, and other statistics. 3P Service Providers have access to personal Info Contact email: yukeshhari2412@gmail.com "I" used throughout the document, seems to be just one guy behind the app | Just a wrapper for OpenAI web interface |