A substantial volume of private data resides on smartphones, necessitating robust operating system protections. The prevalence of advertising and tracking libraries has significant business for such personally identifiable information (PII), including the list of installed apps—a PII type (previously) often exploited by trackers and advertisers. Recent Android versions have sought to restrict access to such data, notably through the high-risk QUERY_ALL_PACKAGES permission, which is now tightly regulated through Google Play. However, our responsibly disclosed alternative method for querying installed apps intentionally remains unrestricted, undermining these protective measures. Our analysis of the top 2,000 Google Play apps reveals that \(21.6\%\) already exploit this loophole to access the user’s installed app lists.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Permission Granted? How Android’s App List Protection Fails in Practice

  • Julian Gagel,
  • Kris Heid,
  • Jens Heider

摘要

A substantial volume of private data resides on smartphones, necessitating robust operating system protections. The prevalence of advertising and tracking libraries has significant business for such personally identifiable information (PII), including the list of installed apps—a PII type (previously) often exploited by trackers and advertisers. Recent Android versions have sought to restrict access to such data, notably through the high-risk QUERY_ALL_PACKAGES permission, which is now tightly regulated through Google Play. However, our responsibly disclosed alternative method for querying installed apps intentionally remains unrestricted, undermining these protective measures. Our analysis of the top 2,000 Google Play apps reveals that \(21.6\%\) already exploit this loophole to access the user’s installed app lists.