Apps on Android have been able to infer the presence of specific apps, or even collect the full list of installed apps on the device.
Apart from all the usual concerns about misuse of such a data grab, the information can be abused by a potentially harmful app to fingerprint other installed apps, check for the presence of antivirus, affiliate fraud, and even for targeted ads.
“As users have on average 80 apps installed on their phones, most of them being free, there is a high chance of untrusted third-parties obtaining the list of installed apps,”
A study published found that 4,214 Google Play apps stealthily amassed a list of all other installed apps, thereby allowing developers and advertisers to build detailed profiles of users. Apps that do so typically achieve this by making use of what’s called installed application methods getInstalledPackages() getInstalledApplications()
Google attempted to rein in this behavior by preventing apps from accessing this information by default starting Android 11, while also introducing new permission called “QUERY_ALL_PACKAGES” for apps that need access to the list of other installed apps. This filtering minimize the potential data grab. To restrict the misuse of the QUERY_ALL_PACKAGES permission, Google has said it treats the inventory of installed apps as personal and sensitive user data.
Effective May 5, 2021, the permission will be limited to only those apps that are used for device search, as well as antivirus apps, file managers, and browsers. Other apps such as a dedicated banking app or a digital wallet app can qualify for this permission solely for security-based purposes.
Google also said it wouldn’t allow apps to request the QUERY_ALL_PACKAGES permission when the “data is acquired for the purpose of sale” or the required task can be achieved by an alternative method.