Privacy-related data such as 'applications installed on smartphones' is not protected at all
Engineer Pea Bee has reported a problem where Android apps are collecting privacy-related information about 'what apps are installed on the same smartphone.'
Everyone knows all the apps on your phone - by peabee
https://peabee.substack.com/p/everyone-knows-what-apps-you-use
Until 2022, apps installed on Android devices could view the list of apps installed on the same device without any user permission, exposing privacy. With the introduction of a new package visibility policy in Android 11, which was released in 2022, it became impossible to obtain a list of all installed apps in principle. Instead, a mechanism was introduced to specify whether other apps are installed only if they are essential to the core functionality of the app.
By using the new features, for example, it is possible to detect 'what payment methods are available' and provide appropriate payment method options, and to improve security by detecting apps that clone apps or allow multiple accounts. In addition, Google gives permission to 'view all installed apps' only to special apps such as file managers, browsers, and antivirus apps.
When a normal app wants to get the installation status of other apps, it needs to specify in its manifest file which app's status it wants to know about. When PB investigated the contents of the manifest files of dozens of apps from major Indian companies, he found that many apps were collecting large amounts of app data.
For example, Swiggy, an Indian online food ordering and delivery app, is tracking the installation status of 154 apps. These include 'Xbox' and 'Playstation' apps, which Peavey said 'don't seem necessary for Swiggy's core functionality' and 'Perhaps Swiggy is tracking the installation status of various apps to profile users, which violates Play Store policies.'
In addition, Zepto, a quick commerce app that allows users to order products and have them delivered in as little as 10 minutes, has obtained the installation status of almost all popular apps across categories, including Netflix and Binance.
Personal loan app Kreditbee even tracked the installation status of 860 apps.
Peebee points out that the data collected in this way is 'used to research customer attributes.' As shown in the following slide by investment firm Blume Ventures, the wealth of users is estimated based on data on 'what apps are installed.' In fact, it has been
reported that Zepto displays different prices to different users by collecting various data.
In addition, Zepto obtains permission to read SMS data sent by banks to offer postpaid plans, but in addition to the bank's sender ID, it also obtains permission to read SMS from competing apps such as Swiggy and Blinkit.
'There is absolutely no respect for individual privacy,' Peavy warns.
Related Posts:
