Would You Like Spies With That?
Spies, fries. tuh-MEY-toh, toeh-MAH-toe. What are the permissions that go with that restaurant rewards app?
I'm old enough to remember needing a "membership card" for all my memberships. I had a plastic card for my grocery store discounts, for my hotel loyalty programs, for my lunch places (though those were often card-stock punch cards where once I got enough holes in it I got a free lunch item), for car rentals, airline loyalty programs, and the like. It got so that I had a secondary wallet in my laptop bag for all the ones I might need on my business trips. Some bright spark realized that those cards did take up too much space, so they started making smaller ones that could fit on a key ring. In the early 2000's I knew people who had between 5 and 10 on their key chains regularly. But those cards have given way to online accounts. And that's an arguably good thing right? I mean, those plastic cards became bulky if you had enough of them, and they weren't particularly environmentally friendly. They also nearly always required reading a long number off of them over the phone or typing it in to a website every time you tried to use your card's value.
Then those online accounts started being accompanied by a mobile app on our phones. This further improved convenience: we didn't have to log in every time we needed to use our cards, and we could get a scanable code for optical readers to appear on the screen, as well as full access to all the cloud based data about our accounts, and life was good.
But somewhere along the line the data became more and more valuable to the rewards program managers, and we ended up with apps full of snoopers.
App Permissions
Any app installed on your mobile device needs permissions to do things. Here's an example of all the permissions one particular app requests:

That's a laundry list of permissions requested. Fortunately this particular app doesn't insist that all these permissions must be granted in order to even work - I've seen too many apps that insist on permissions that don't seem appropriate in order to just carry out their activities. Each of these permissions is a potential privacy intrusion waiting to happen.
Interestingly missing from this list: network access. It seems that's assumed to be a default requirement.
Take a minute and check the app permissions for your favorite restaurant loyalty app. I'm willing to bet it wants to at least have access to your location and notifications, perhaps also to your NFC system (tap-to-pay is part of that). Location, paired with network access (remember, that's a default allow) means that your app may well be continually sharing information with your favorite restaurant chain. There's no guarantee that they are, but what proof do you have that they are not? It is this lack of transparency that that makes loyalty apps a threat to your privacy. That little plastic card could never do that.
App Fingerprinting
I've discussed this in previous posts, but it seems a great many apps attempt to fingerprint you and your device beyond what you may be aware of.


So given that your app already (by default) has network access, and all of this sort of data is available to it by default, we again see that every installed application on your mobile device has a wealth of information to share with the app's owners, creators, and whomever they choose to share that data with. Again, I can't tell you that they are sharing all of this data, but I can tell you they have the capacity to do it without your knowledge. This becomes an issue of trust, as in most cases US based companies face impressively lax oversight when it comes to profiting from sharing traceable data about you.
Countermeasures
All is not lost. There are two primary strategies for fighting this data drain.
Use a Browser and Uninstall the App
While not every capability available in an app is directly accessible through a website, a great many of them are. Bookmarks can even be added to your phone or tablet's home screen, or you can use them in browser. Choosing a privacy focused browser, such as DuckDuckGo, is helpful as well for it's anti-cookie, anti-tracking capabilities. Let's face it, you can order pizza from a website, you don't have to have an app to do it, and the loyalty program can still track you and offer you rewards if you log in.
Will this stop all tracking? No, but unlike an app a webpage stops running completely when you close the tab or browser it was running in, meaning you can better control when it has the chance to gather and share data.
Block App Tracking Attempts
You're not going to get rid of all your apps, and unless something significant changes with regard to the law or legislation, companies are going to continue to attempt to profit from surveilling you. So finding a solution that blocks more of those tracking attempts can help. It just so happens that DuckDuckGo's mobile app for Android does that. The iOS version does not, and that's something you can take up with Apple.

Is a Free Burrito Every Few Months Worth It?
This is a "choose your own adventure" situation, maybe being tracked to within an inch of your life is worth it for the feeling of that free smoothie every few weeks, or that free size upgrade on your mocha-frapa-latte thing. But if reading this has taken all the fun out of those rewards for you, consider yourself better informed and better able to take action to protect yourself, your data, and your privacy.