Your phone knows where you sleep, who you talk to, and what you type into search bars at 2 a.m. The FBI now wants you to ask a simple question about every app that has access to that information: where was it built, and whose laws govern the servers holding your data?
In a public service announcement published through its Internet Crime Complaint Center in early 2026, the bureau warned that foreign-developed mobile apps used in the United States can quietly harvest contacts, GPS history, and messages across an entire device, then store that data on servers subject to foreign intelligence laws. The warning did not single out one app by name. It targeted a structural problem: when a company operates under a government that can legally compel access to user data, no privacy policy written in English changes that reality.
What the FBI actually said
The PSA, titled “Data Security Risks of Using Foreign-Developed Mobile Apps in the United States,” draws a distinction that most users overlook. A single app with broad permissions does not just collect data related to its own function. It can reach into contact lists, photo libraries, calendar entries, and messaging threads that have nothing to do with why you downloaded it. A weather app that requests access to your contacts is not being helpful. It is being greedy, and the FBI wants you to notice.
The bureau pointed specifically to the risk that user data stored overseas falls under the legal framework of whatever country hosts those servers. For apps linked to Chinese parent companies or infrastructure, that framework includes China’s Cybersecurity Law, which took effect on June 1, 2017, according to the text published on China’s National People’s Congress website. The law requires network operators and technology firms to cooperate with state security and intelligence work. That obligation is not a suggestion. It is statute, and it applies to every company operating under Chinese jurisdiction.
Beijing reinforced that framework with two additional laws in 2021: the Data Security Law and the Personal Information Protection Law. Together, the three statutes give Chinese authorities a broad, layered legal basis to demand access to data held by any company within their reach, including data originally collected from users thousands of miles away.
The TikTok case puts the risk in legal focus
The FBI’s warning did not arrive in a vacuum. The legal battle over TikTok has forced U.S. courts to examine exactly how China’s compelled-cooperation laws interact with American users’ data. In TikTok, Inc. v. Garland, docketed as case 24-656 at the U.S. Supreme Court, the federal government argued that PRC laws create a structural, ongoing threat to the data of Americans who use platforms tied to Chinese parent companies. Court materials accessible through Cornell Law Institute’s archive reference those compelled-cooperation provisions directly.
The government’s position treats the risk not as hypothetical but as an inherent feature of Beijing’s legal system. That argument was taken seriously enough to reach the Supreme Court, which signals that senior federal officials and multiple lower courts found the concern substantial. Still, court filings are advocacy. They describe what Chinese law empowers Beijing to demand, not a specific, publicly documented instance where a named U.S. user’s data was extracted through a mobile app under those provisions.
That distinction matters. The legal authority is real and documented. The public evidence of its exercise against individual American smartphone users remains thin, at least in unclassified records. Readers should hold both facts in mind simultaneously: the power exists, and the absence of a public case study does not mean it has never been used. It means we do not have a confirmed, disclosed example to point to.
Why the evidence gap does not equal safety
Some readers will look at the lack of a documented breach and conclude the FBI is overstating the threat. That would be a mistake, for a few reasons.
First, intelligence operations are not typically disclosed through press releases. If a foreign government accessed U.S. user data through a mobile app, the public might never learn about it, especially if the access was used for espionage or bulk data collection rather than a consumer-facing breach.
Second, the FBI chose to issue a formal PSA to every smartphone user in the country. The bureau does not do that for speculative risks. The Internet Crime Complaint Center publishes warnings when the agency has enough internal intelligence to justify a broad public alert, even when classified sourcing prevents it from showing its full hand.
Third, the statutory text speaks for itself. You do not need a leaked document to understand that a law requiring companies to assist intelligence operations will, at some point, be enforced. The question is not whether Beijing has the authority. The question is whether any particular app you use falls within its reach.
What the FBI did not say
The PSA is deliberately broad. It does not name TikTok, Temu, Shein, WeChat, or any other specific application. It does not publish technical audit logs showing data transmissions from particular apps to Chinese servers. It does not provide metrics on how many U.S. users have had data exposed through foreign-developed apps or what volume of personal information has crossed borders.
The FBI also did not address what role Apple and Google play in vetting apps before they reach the App Store or Google Play. Both companies have their own review processes and have removed apps in the past for excessive data collection, but neither platform guarantees that an approved app’s data practices comply with U.S. users’ expectations once data leaves the device.
The bureau directed users to its own internet safety guidance and the Federal Trade Commission’s online privacy resources for practical steps. Both pages offer general digital hygiene advice but stop short of app-specific recommendations.
How to audit your phone right now
The FBI’s warning translates into a handful of concrete actions you can take in the next 15 minutes.
Review every installed app. On iOS, go to Settings > General > iPhone Storage. On Android, go to Settings > Apps. Scroll through the full list. If you do not recognize an app, no longer use it, or cannot verify who made it, delete it. Pay close attention to apps from companies headquartered in countries with broad state-security laws.
Strip unnecessary permissions. On both platforms, you can review which apps have access to your location, contacts, microphone, camera, calendar, and messages. A photo editor does not need your contacts. A calculator does not need your location. Switch location access to “While Using the App” wherever possible, and deny contact and calendar access unless the app clearly requires it to function.
Kill background activity. Some apps collect data even when you are not using them. On iOS, go to Settings > General > Background App Refresh. On Android, check Settings > Apps > [App Name] > Battery > Background restriction. Disable background activity for any app that does not need to update in real time.
Limit your account footprint. Use a unique email address and a strong, unique password for each service. A password manager makes this manageable. Enable multi-factor authentication wherever it is available. These steps will not stop a foreign government from compelling a company to hand over data, but they make it harder to link your information across multiple platforms if one is compromised.
Read privacy policies with suspicion. A clearly written privacy policy does not override the laws of the country where an app’s servers sit. If a company’s data infrastructure is in a jurisdiction with compelled-cooperation statutes, the policy is only as strong as that government allows it to be.
Your phone is the most intimate device you own
None of this means you need to retreat from your digital life or treat every foreign-developed app as malware. It means the FBI is telling you, in plain language, that the permissions you grant on your phone can extend far beyond what you see on screen. The combination of China’s statutory framework, the legal arguments validated by the Supreme Court docket, and the FBI’s decision to issue a nationwide warning adds up to a risk that deserves more than a shrug.
You do not need to wait for a confirmed breach to act. The safest assumption, as of June 2026, is that any permission you grant can be used to its fullest legal extent under whatever laws govern the servers on the other end. Reserve that level of access for the apps and companies you genuinely trust, and cut off everything else.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
