Apps on Android have been able to infer the presence of specific
apps, or even collect the full list of installed apps on the
device. What’s more, an app can also set to be notified when a new
app is installed.
Apart from all the usual concerns about misuse of such a data
grab, the information can be abused by a potentially harmful app to
fingerprint other installed apps, check for the presence of antivirus[1], affiliate fraud[2], and even for targeted
ads.
In 2014, Twitter began[3]
tracking the list of apps installed on users’ devices as part of
its “app graph” initiative with an aim to deliver tailored content.
Digital wallet company MobiKwik was also caught collecting information[4]
about installed apps in the wake of a data breach that came to
light earlier this week.
Indeed, a study undertaken by a group of Swiss researchers in
2019 found[5]
that “free apps are more likely to query for such information and
that third-party libraries (libs) are the main requesters of the
list of installed apps.”
“As users have on average 80 apps installed on their phones,
most of them being free, there is a high chance of untrusted
third-parties obtaining the list of installed apps,” the
researchers added.
Another academic study[6]
published in March 2020 also found that 4,214 Google Play apps
stealthily amassed a list of all other installed apps, thereby
allowing developers and advertisers to build detailed profiles of
users. Apps that do so typically achieve this by making use of
what’s called installed application methods[7] — getInstalledPackages()
and getInstalledApplications() — with the researchers uncovering
that apps in games, comics, personalization, autos and vehicles,
and family categories topped the list of apps collecting this
information.
Last year, Google attempted[8]
to rein in this behavior by preventing apps from accessing this
information by default starting Android 11, while also introducing
new permission called “QUERY_ALL_PACKAGES” for apps that need
access to the list of other installed apps.
“This filtering behavior helps minimize the amount of
potentially sensitive information that your app doesn’t need in
order to fulfill its use cases, but that your app can still
access,” Google said.
Now in an attempt to step up its efforts to restrict the misuse
of the QUERY_ALL_PACKAGES permission, Google has said[9]
it treats the inventory of installed apps as personal and sensitive
user data.
Effective May 5, 2021, the permission will be limited to only
those apps that are used for device search, as well as antivirus
apps, file managers, and browsers. Other apps such as a dedicated
banking app or a digital wallet app can qualify for this permission
solely for security-based purposes.
Google also said it wouldn’t allow apps to request the
QUERY_ALL_PACKAGES permission when the “data is acquired for the
purpose of sale” or the required task can be achieved by an
alternative method.
“Apps that fail to meet policy requirements or do not submit a
Declaration Form[10] may be removed from
Google Play,” the company noted[11]. “If you change how
your app uses these restricted permissions, you must revise your
declaration with updated and accurate information. Deceptive and
non-declared uses of these permissions may result in a suspension
of your app and/or termination of your developer account.”
References
- ^
presence
of antivirus (thehackernews.com) - ^
affiliate fraud
(thehackernews.com) - ^
began
(www.theguardian.com) - ^
collecting information
(thehackernews.com) - ^
found
(www.usenix.org) - ^
academic
study (dl.acm.org) - ^
installed application methods
(developer.android.com) - ^
attempted
(developer.android.com) - ^
said
(support.google.com) - ^
Declaration Form
(support.google.com) - ^
noted
(support.google.com)