Apps on Android have been able to infer the presence of specific apps, or even collect the full list of installed apps on the device. What's more, an app can also set to be notified when a new app is installed.
Apart from all the usual concerns about misuse of such a data grab, the information can be abused by a potentially harmful app to fingerprint other installed apps, check for the presence of antivirus, affiliate fraud, and even for targeted ads.
In 2014, Twitter began tracking the list of apps installed on users' devices as part of its "app graph" initiative with an aim to deliver tailored content. Digital wallet company MobiKwik was also caught collecting information about installed apps in the wake of a data breach that came to light earlier this week.
Indeed, a study undertaken by a group of Swiss researchers in 2019 found that "free apps are more likely to query for such information and that third-party libraries (libs) are the main requesters of the list of installed apps."
"As users have on average 80 apps installed on their phones, most of them being free, there is a high chance of untrusted third-parties obtaining the list of installed apps," the researchers added.
Another academic study published in March 2020 also found that 4,214 Google Play apps stealthily amassed a list of all other installed apps, thereby allowing developers and advertisers to build detailed profiles of users. Apps that do so typically achieve this by making use of what's called installed application methods — getInstalledPackages() and getInstalledApplications() — with the researchers uncovering that apps in games, comics, personalization, autos and vehicles, and family categories topped the list of apps collecting this information.
Last year, Google attempted to rein in this behavior by preventing apps from accessing this information by default starting Android 11, while also introducing new permission called "QUERY_ALL_PACKAGES" for apps that need access to the list of other installed apps.
"This filtering behavior helps minimize the amount of potentially sensitive information that your app doesn't need in order to fulfill its use cases, but that your app can still access," Google said.
Now in an attempt to step up its efforts to restrict the misuse of the QUERY_ALL_PACKAGES permission, Google has said it treats the inventory of installed apps as personal and sensitive user data.
Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!Don't Miss Out – Save Your Seat!
Effective May 5, 2021, the permission will be limited to only those apps that are used for device search, as well as antivirus apps, file managers, and browsers. Other apps such as a dedicated banking app or a digital wallet app can qualify for this permission solely for security-based purposes.
Google also said it wouldn't allow apps to request the QUERY_ALL_PACKAGES permission when the "data is acquired for the purpose of sale" or the required task can be achieved by an alternative method.
"Apps that fail to meet policy requirements or do not submit a Declaration Form may be removed from Google Play," the company noted. "If you change how your app uses these restricted permissions, you must revise your declaration with updated and accurate information. Deceptive and non-declared uses of these permissions may result in a suspension of your app and/or termination of your developer account."