Dangerous permissions in adult toy apps

As Valentine’s Day approaches, promising a day of love and fun, Surfshark offers a reminder not to overlook the potential dangers hiding in pleasure devices. While examining adult toys with associated Android apps, we analyzed the permissions required by these apps, some of which are deemed as dangerous. They give a backstage pass to your digital life, providing access to private information or functions that could potentially create issues for your device. So, let's take a moment to understand what these permissions are and make sure we stay safe in both our digital experiences and real-world adventures.

Key insights

• The 10 investigated adult toy apps were found to require a wide array (spanning over 60 types) of permissions. On average, the investigated apps requested 22 permissions, though there is a significant variation in the number of permissions across different apps. Lovesense Remote requested the highest number of permissions (53), followed by Satisfyer Connect and Love Spouse (both with 28 permissions). On the other side of the spectrum, NaughtyKit only requested 6 permissions.
• Permissions considered dangerous were also observed in the analyzed adult toy apps. These permissions “give your app additional access to restricted data or let your app perform restricted actions”¹. On average, the apps requested 6 dangerous permissions, spanning a total of 13 types. The number of dangerous permissions ranged from 13 (for Lovense Remote) to 2 (for NaughtyKit).
• It’s understandable that given the nature of pleasure devices, all of the investigated apps required at least two Bluetooth-related permissions: Bluetooth pair (to connect to devices) and Bluetooth admin to control settings. However, some apps go beyond these basics and request dangerous Bluetooth-related permissions. For instance, Lovense Remote advertises the device as available for Bluetooth connections. It automatically connects to previously paired devices without prompting.
• The dangerous permissions we observed most frequently included reading from and writing to external storage (used by 8 out of 10 apps). These permissions allow the app to access information outside of the allocated storage space for the app, enabling it to interact with previously saved images, or to save new data generated while using the app, such as in-app screenshots or received pictures. Additionally, camera access was sought by 7 apps, while 5 apps requested permission to capture audio.
• We also noticed some apps asked for dangerous permissions that were not sought by others in their category. For example, Magic Motion and Lovense Remote sought access to the device’s settings, potentially enabling them to modify device system settings. Also, Lovense Remote requested access to the users’ location even when running in the background, a feature distinct from other adult toy apps.

Methodology and sources

We identified the apps by querying the Google Play Store with “Adult Toy App” and selecting apps that enabled the use of an external device. We chose the ten most downloaded apps that met our criteria and appeared in the results using the aforementioned query. The apps’ permissions were extracted using Exodus’ Privacy Reports, which also noted which permissions were dangerous.

Note on data: For ease of presentation, some app names were shortened in the visualization and in the text above. The full names of these apps can be found in the research material made available below.

Data was collected from:

References: