More than 4,000 Google Play apps silently collect a list of all other installed apps in a data grab that developers and advertisers can use to create detailed user profiles. This was the result of a recently published research paper.
The apps use a programming interface provided by Android, which searches a phone for details about all other apps installed on the phone. The app details – including name, date of first installation and last update, and more than three dozen other categories – are uploaded to remote servers without permission and without notification.
I am what I am
The application methods (IAMs) installed by Android are application programming interfaces that allow apps to silently interact with other programs on a device. You use two methods to get different types of information about installed apps, none of which Google classifies as a confidential API. The absence of such a label allows the methods to be used in a way that is invisible to users.
Not all apps that collect details about other apps installed do this for nefarious purposes. Developers interviewed by the researchers behind the new article said the collection is the foundation of launcher apps that allow you to customize the home screen and provide shortcuts to open other apps. IAMs are also used by VPNs, backup software, notification managers, anti-malware, battery savers and firewalls.
The data grab can also be used by advertisers and developers to create a detailed user profile, the researchers reported in their article entitled Leave my Apps Alone! A study of how Android developers access installed apps on the user's device. They cited previous studies like this one, which found that a single snapshot of apps installed on a device allowed researchers to predict the gender of the user with an accuracy of around 70 percent. The follow-up results from the same researchers expanded demography, which could be derived from characteristics such as religion, relationship status, spoken languages and countries of interest. A study by various researchers found that user demography also includes age, race and income. The survey also found that a user's gender can be predicted with an accuracy of 82 percent.
"Since other privacy-related parts of the Android platform are protected by app permissions and developers are forced to notify users explicitly before trying to access them, the question arises as to why IAMs are treated differently," the researchers said University of L & # 39; Aquila in Italy, the Vrije University in Amsterdam and the ETH in Zurich, wrote in the latest publication. "Indeed, the General Data Protection Regulation of the European Union (GDPR), which is widely regarded as a pioneer in data protection regulations, considers' online identifiers provided by their devices, applications, tools and protocols & # 39; (…) as personal data for all purposes and means. "
The new report states that Google is considering several changes to Android that have already been added to a beta version of version 11 (general release is scheduled for the third quarter, but it is not clear whether this timeframe is due to from postponements caused by the COVID-19 pandemic). Under the change under consideration, in order for an app to interact with other apps, the developer must either (1) explicitly declare in the app manifest – a file that describes essential information about the app – the apps that he wants to check, or (2 ) a new permission called QUERY_ALL_PACKAGES, the exact function of which remains unclear to some developers.
The change, according to the researchers, still does not address one of the main shortcomings of IAM abuse, namely the lack of notification to users that an app may require permission that could compromise privacy. When considering the change, apps would still not need to disclose their collection of details about any other apps installed. Google representatives did not respond to an email asking for planned changes in Android and requesting a more general comment on this article.
Spy on the app
The researchers examined 14,342 free Android apps in the Google Play Store and 7,886 open source Android apps, and analyzed the use of IAMs by apps. The researchers found that 4,214 of the Google Play apps, which make up just over 30 percent of the apps examined, used IAMs. Only 228 of the open source apps or a little less than 3 percent collected details about other apps. With more than 3 million apps available on the Google hosted service, the actual number of curious apps is almost certainly an order of magnitude higher than the 4,214 found in the study.
In descending order, the top five Google Play app categories in which data was collected most frequently were: games (73 percent), comics (71 percent), personalization (61 percent), cars and vehicles (54 percent), and family (43 percent)). The following illustration shows the use of IAMS in all categories.
Soccia et al.
The paper did not identify any of the apps by their names.
The vast majority of Google Play apps that collected app data (84 percent) used third-party code libraries. Researchers identified 56 ad libraries that collected the data and found that a “small number” of them made up more than a third of all IAMs used by bundled libraries. Other bundles identified were utility libraries, custom libraries, and analysis and app promotion libraries. Below is a table with the 20 most common libraries:
Soccia et al.
"When discussing the results, we assumed that the vast majority of IAM calls made by advertising libraries were used for profiling purposes, and therefore suggested some possible changes to the Android platform," the researchers wrote. Key recommendations included notifying users that an app is requesting permission to access other installed apps. As with other authorization requirements, it should give users the option to decline.
The researchers said that Apple's iOS uses methods similar to IAMs so that apps can track other apps installed. The researchers added that in newer versions of the operating system, "applications of interest must be declared preventively in the app … manifest file and therefore checked by app store moderators before they are published".
As already mentioned, there are legitimate reasons for apps to collect details about other installed apps. But there is also cause for concern. This latest research only confirms the advice I've given for a long time that Android apps should be installed sparingly and only if they offer a clear advantage. It also helps to prioritize paid apps over free apps, as the latter category tends to depend on advertising revenue. It also shows that open source apps collect less app data. However, users must also allow third party marketplaces to be installed.