Over 4,000 Android apps are silently collecting your app information

A research paper recently found that as many as 4,000 Google Play apps silently collected details of other installed apps on Android phones, allowing developers to profile their users in a detailed manner.

What? How?

The researchers looked at over 14,000 free Android apps in the Google Play Store alongside nearly 7,900 open-source Android applications, before publishing their findings in their paper titled Leave my Apps Alone! A Study on how Android Developers Access Installed Apps on User's Device.

The report showed how commercial apps used installed application methods (IAMs), such as getInstalledApplications() and getInstalledPackages(), to identify apps installed on an Android device.

The researchers said the methods are not classified as sensitive APIs on the Android platform, which explained why these commands do not require permissions and do not require a declaration of use to end-users.

What can a bunch of installed apps tell them about me?

The gathered app install information can then be used to extrapolate personal details on the device user.

Further research in the same paper showed that these details can be used to predict the user's gender, religion, relationship status, spoken languages, significant life events, income, and other telling details with 60.3 per cent to 82.3 per cent accuracy.

The researchers also provided a breakdown of app types that uses IAMs to collect information, as illustrated in the chart below:

In summary, their research saw about 30 per cent of commercial apps in the wild using IAMs, while more than 70 per cent of apps in the Games and the Comics category are using IAMs.

Who's using that information?

What was also interesting was that the researchers managed to identify 56 advertising libraries that are receiving the data, with a handful responsible for 30 per cent of all observed IAM usage.

Below are the top 20 library packages that are interested in what a user installs on their Android devices:

What the researchers also found were that 9 out of 12 developers they've spoken to were 'surprised' that their IAM calls were used by advertising libraries they weren't aware of.

The researchers added that the iOS platform also have data collecting methods similar to IAMs, with a slightly different (more robust) approach.

From the paper:

"It is important to notice that IAMs are not exclusive to Android. Similar methods also exist in Apple's iOS, currently the second most popular mobile operating system. However, in recent versions of the operating system, applications of interest have to be preemptively declared inside the app own manifest file, and thus are reviewed by app store moderators before publication."

What's being done?

Fortunately, Google is already taking concrete actions to safeguard such data by making it the responsibility of app developers.

According to the research paper, Google is working on Android 11 (which will be available to the public in late 2020).

Android 11 will make app developers explicitly declare which apps they wish to inspect, or the apps they build would have to request for the new QUERY_ALL_PACKAGES permission from app users.

This article was first published in Hardware Zone.