Android apps are snooping on your installed software
The news emerged this week in a paper from researchers in Italy, the Netherlands, and Switzerland. The privacy violations centre around installed application methods (IAMs), which are application programming interfaces (APIs) that allow applications to interact with other software on your phone without telling you. It lets them do a variety of things including finding the names of those other installed apps.
There are legitimate uses for IAMs. An app such as a VPNs, backup software, or firewall might use them to co-operate with other installed software. An accessibility app can use them to make other software more usable for people with disabilities.
That doesn’t mean all instances are in the user’s best interest. The researchers studied 14,342 free Android apps in the Google Play Store, along with 7,886 open-source Android apps. They analysed the software’s use of IAM APIs and also followed up with a questionnaire for the apps’ developers to assess how aware they were of what the apps were doing (70 developers participated).
The most common piece of information collected via IAMs was
packageName, which just reports the names of other installed apps. This alone can reveal a lot about a phone’s user, though. The paper cites other research showing that it’s possible to deduce certain things about the user purely from the apps installed on their devices, including gender, religion, relationship status, and countries of interest. They can also predict major life events such as marriage and becoming a parent with up to 87% accuracy.
It’s no surprise, then, that commercial applications tended to use IAMs far more. 4,214 commercial apps used these, compared to just 228 of open-source apps. The most popular types of commercial app using this technique were games at 73%.
Most of the commercial apps snooping on other installed software didn’t do it from within their own code. Instead, 83.66% of these queries came from third-party libraries that the apps used. More than one third (36%) of those libraries were classed as advertising-based, while the next most common category (31%) came under the utility category, which is effectively a catch-all of different functions to streamline software development.
In many cases, app developers were not aware that these libraries were making calls at all, and in one case asked the researchers which piece of code the call was being made from so that it could be removed. One developer blamed a point-and-click app builder that they used.