Do Phone-Use Agents Respect Your Privacy?

Abstract

We study whether phone-use agents respect privacy while completing benign mobile tasks. This question has remained hard to answer because privacy-compliant behavior is not operationalized for phone-use agents, and ordinary apps do not reveal exactly what data agents type into which form entries during execution. To make this question measurable, we introduce MyPhoneBench, a verifiable evaluation framework for privacy behavior in mobile agents. We operationalize privacy-respecting phone use as permissioned access, minimal disclosure, and user-controlled memory through a minimal privacy contract, iMy, and pair it with instrumented mock apps plus rule-based auditing that make unnecessary permission requests, deceptive re-disclosure, and unnecessary form filling observable and reproducible. Across five frontier models on 10 mobile apps and 300 tasks, we find that task success, privacy-compliant task completion, and later-session use of saved preferences are distinct capabilities, and no single model dominates all three. Evaluating success and privacy jointly reshuffles the model ordering relative to either metric alone. The most persistent failure mode across models is simple data minimization: agents still fill optional personal entries that the task does not require. These results show that privacy failures arise from over-helpful execution of benign tasks, and that success-only evaluation overestimates the deployment readiness of current phone-use agents. All code, mock apps, and agent trajectories are publicly available at~ https://github.com/FreedomIntelligence/MyPhoneBench.

Figures (6)

• Figure 1: Real-app examples of how a phone-use agent can cross privacy boundaries during a benign mobile task.
• Figure 2: Representative execution under the iMy privacy contract. Two strong models use the same four-tool privacy interface but diverge on permission-gated access, unnecessary disclosure, and later-session preference saving. Full trajectories are available in the released artifacts.
• Figure 3: The iMy interface (left) and three recurring privacy-risk structures operationalized as controlled probes (right).Left: iMy separates default-access from permission-required data and keeps saved items visible, editable, and deletable. Right: the three probe structures used to test over-permissioning, trap resistance, and form minimization (Section \ref{['sec:probes']}).
• Figure 4: Privacy probes by model (a) and by app (b). Form minimization is the hardest probe for all models.
• Figure 5: Later-session use of saved preferences.(a) Two single-session proxy diagnostics---saved after Session A and used when needed---compared with the paired later-session transfer metric. (b) Gap between single-session proxies and true later-session transfer.