Google to restrict Android apps from viewing other apps installed on the same device
Google has announced plans today to restrict the ability of Android apps from seeing what other applications are installed on the same device, citing privacy and security reasons.
The update will go into effect on May 5, 2021. After that date, Android app developers won't be able to upload new apps on the Play Store that target Android 11 (API level 30) or later and which use the "QUERY_ALL_PACKAGES" function.
The QUERY_ALL_PACKAGES feature has been deemed a "high risk or sensitive permission," and only select apps will be allowed to use it.
According to Google, this permission will only be available for apps that perform device searching operations, antivirus apps, file managers, and web browsers.
Other apps such as digital wallets and e-banking applications may also be eligible to receive access to the permission if used for security purposes.
The decision to limit which apps can use this permission was a long time coming. Even if Android apps did not contain malware, ad-revenue-greedy developers often abused the permission to see what apps users had installed on their devices and sold this information to advertisers, who'd later use it to deliver targeted ads.
Today, Google said that they now regard "the device inventory of installed apps queried from a user's device as personal and sensitive information," and will be cracking down on apps abusing the feature for their personal profits.
Google is now warning developers to update their apps or face suspensions from the Play Store starting May 5.
Academic work led to this decision
A source familiar with Google's decision told The Record the company started looking into the abuse surrounding apps getting lists of other apps installed on the device after a team of academics first raised the issue last year at a mobile developer conference in South Korea.
In a paper presented at MOBILEsoft 2020, the research team said they analyzed more than 14,300 Android apps and found that more than 4,000 abused various Android APIs called IAMs to get the list of locally installed apps.
At the time, the QUERY_ALL_PACKAGES permission was floated as an answer to this abuse, and Google today has tightened the leash around this permission to prevent a repeat of the IAM disaster.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.