A set of API calls known as the Installed Application Methods (IAMs) may be exposing Android users to a backdoor fingerprinting method, allowing advertisers to dig up potentially sensitive demographic information on them and even track what they access on the internet. The API calls quietly provides developers with a list of all of the other apps installed on the device, which could be used to infer traits such as religious preference and sexuality. It is also possible that this method could be used for tracking and identification by matching unique combinations of Android apps when users access certain apps or websites.
How developers get a list of your Android apps
Google created these API calls as a tool for developers to check for compatibility or interface issues with other apps that they might interact with or share overlapping permissions with. For example, they are commonly used by “launcher” apps that allow users to customize other aspects of the interface. Accessibility apps also commonly use this feature to add special functionality for disabled users. Intended as a diagnostic tool, these calls are executed without notifying the end user or asking for their permission.
A research paper published recently indicates that this feature is being abused by quite a few app developers and advertisers. The study found a little over 4,200 apps on the Google Play Store (out of a sample of about 22,000 analyzed) that used IAMs in this way. This type of IAM abuse was most common in games and comics, but multiple examples were found in nearly every conceivable category of app. At a rate of a little over 30%, the supposedly safe and vetted apps hosted on the Play Store were much more likely to be doing this than open source apps (which had a rate of just shy of 3%).
Researchers were able to differentiate this behavior from legitimate diagnostic purposes by looking for Android apps that only call for the “packageName” IAM, which delivers the list of installed apps, and then do nothing else related to diagnostics. Many of these packageName calls were also found to be originating from third-party libraries — such as those used by analytics tools or advertising networks — rather than from the app itself. Some of the app developers may not even be aware that these third-party services are gathering this information.
Though the API calls only provide a list of other installed apps, advertisers can potentially infer some private and sensitive personal characteristics from this information: age range, sexuality, gender, religious preferences, and languages spoken, among other possibilities.
Tracking via fingerprinting is also at least theoretically possible by comparing combinations of Android apps that would be unique to someone’s device. This could potentially be facilitated through the targeted networks used by advertisers, making it possible to personally identify a website visitor from their known list of Android apps.
How much could an advertiser possibly get from an app list?
If all of this sounds a bit alarmist, it might be helpful to look at some prior research in this area to understand the potential danger to users. A 2016 study of exactly this subject, conducted by a team of researchers based in Finland and Qatar, found that a suitable list of Android apps could enable advertisers to correctly predict gender 82.3%, age 77.1% and marital status 72.5% of the time.
Some apps provide a direct “tell” to advertisers, such as Qibla Compass Pro identifying a user as Muslim. Others are more indirect, and less obvious to the end user. For example, 83% of Pinterest users and 80% of Candy Crush Saga players are female. The presence of several Android apps with similarly strong demographic biases could lead one to predict gender with a high degree of confidence.
Will this be fixed?
The report notes several proposed changes for version 11 of Android (which is scheduled for release in late 2020) that would at least limit the ability of advertisers to collect user lists.
Google is considering adding a new permission called QUERY_ALL_PACKAGES that might prompt users to OK any calls for an app list, though it is still not entirely clear that is how it will function. Developers might also be required to declare the apps they intend to query in advance in the app manifest XML file (which must be submitted to Google as a condition of having the app hosted on Google Play).
Considering that there are legitimate development uses for this set of API calls, the most reasonable solution seems to be a user permission request whenever advertisers want to collect a list of Android apps. However, at this point there is no clear indication that Google will implement this in the upcoming Android OS update.
At the moment, the average Android user has little ability to identify or stop this backdoor data collection. The best general security advice is to limit the use of “free” apps that are ad-supported, as these overwhelmingly are the most likely to snoop on your other Android apps. More details on this research is scheduled to be presented at the MOBILESoft 2020 conference in Seoul, which will be held on May 23 and 24 unless there is a reschedule due to the pandemic.