ARK vs Hiya: the privacy-first reckoning

The call-blocking assumption

Hiya does one thing well: it blocks spam calls. It's been doing that since 2011, and millions of people rely on it. The trade-off is baked in. To identify a spam number, Hiya's servers need to see your incoming call metadata. They need patterns. They need your phone's contribution to a global dataset.

When we started ARK, we made a different bet. We assumed people who cared enough to check their security posture also cared where that posture data went. So we built the core security score, the app permission audit, and the stalkerware detector to run entirely on your device. Your 0-100 score lives on your phone. It doesn't phone home unless you choose to activate Shield or Fortress tier, at which point we're explicit about what we monitor: dark-web mentions of your breach records, phishing links you encounter, Wi-Fi networks you join.

Hiya's model isn't wrong. It's just a different choice. They prioritise call filtering; we prioritised transparency.

What a real security score tells you that a spam filter doesn't

Hiya will tell you if that incoming call is likely spam. Useful. But it won't tell you if the app you installed yesterday has permission to access your contacts, your location, and your microphone simultaneously. It won't check whether your passwords have appeared in known breaches. It won't scan for stalkerware. It won't audit your two-factor setup or test your DNS for leaks.

ARK does all of that because we think "mobile security" is bigger than incoming calls. A user we spoke to earlier this year had been in the Optus breach. She knew her details were out there, but she had no way of knowing if any of her apps were actively exploiting that information or her device's permissions. She installed ARK, ran the scan, got a score of 41 out of 100, and saw exactly why: three apps with excessive permissions, a password from the breach still in use, no two-factor on her banking app.

That clarity drove her to act. She revoked permissions, changed the password, enabled 2FA. Her score climbed to 78 in a week. That's not call-blocking. That's understanding your own device.

Where the privacy difference shows up in practice

Here's the thing nobody talks about: if you want to scan dark-web marketplaces for your email address, someone has to do that scanning. If you want to check whether a suspicious link is a phishing attempt, something has to analyse it. The question is whether that analysis happens on your device or on a server, and whether your metadata travels with it.

On Shield tier, we run a QR and URL phishing scanner. Your device submits the URL and gets back a verdict. We don't log it. We don't build a profile of where you click. Similarly, the dark-web monitor checks if your credentials appear in known dumps. It uses the breach data; it doesn't use your browsing habits to infer anything else about you.

Hiya's model, by contrast, benefits from having sight of all those spam numbers. The more calls Hiya sees, the better its filtering gets. That's why it works well. But it also means Hiya has a complete picture of calling patterns across millions of users, and that data has real value. In 2021, Hiya sold its enterprise business to Synack. In 2023, it was acquired by Clearforce. Those aren't random companies; they're in the data aggregation game.

We're not saying that's evil. We're saying it's a choice. We chose differently.

When you need more than call-blocking

Some users only care about spam calls, and Hiya will always beat us there. But most people we talk to have a different set of worries. They've been in a breach and want to know if their credentials are being exploited. They share a family iPad with their kids and want to verify what apps can access. They run a small business with three employees, all using personal phones for email, and need to audit their device security quickly.

For those users, a call-blocking app is a piece of the puzzle, not the whole picture. On Fortress tier, we added data-broker exposure checks, SDK analysis to see what your apps are really doing beneath the surface, GDPR autopilot to auto-submit data-subject access requests, and voice-clone risk assessment. None of that touches spam calls. All of it touches the things that keep security-conscious people awake at night.

We also built the stalkerware detector into the free tier because we think intimate-partner surveillance is a bigger threat to most users than spam calls, and it shouldn't be behind a paywall.

The question we kept asking ourselves

During development, we ran into a moment where we had to choose: do we collect calling data to improve the app, or do we stay local-first and accept that some insights will be missed? We chose local-first, which meant our scanning had to be sharp and focused rather than broad and algorithmic. It meant we had to trust the user to understand their own device rather than infer threats from invisible patterns.

That's not a more sophisticated approach. It's a more honest one. Hiya solves a real problem brilliantly. If you're drowning in robocalls, it's worth trying. But if you want to know what your phone is actually doing, who can access what, and where your data might be leaking, you need something else. That's what ARK is for.