Google appears to have finally realized that all apps should not have ready access to the installed apps list on an Android smartphone. The Android OS maker is now mending its ways and restricting the availability of the feature.
App developers should not have easy and open access to the name and type of apps an Android smartphone user has installed on the device. Now, Google is putting in security restrictions that prevent rampant use or abuse of the facility.
Android 11’s new ‘Query_All_Packages’ permission flagged as “sensitive” on the Play Store:
Starting this May, Google’s review process will restrict access to an important backend feature to apps the company feels truly need it. As the name suggests, Query_All_Packages lets an app read the entire app list on any Android smartphone.
Google has updated its Developer Program Policy and now considers the installed app list to be “personal and sensitive user data”. Hence, the company will be restricting which apps can gain access to the same.
— Mobile Marketing Reads (@mmarketingreads) April 2, 2021
Gaining access to merely the list of apps may seem innocent. However, the list can contain all sorts of sensitive information. This can include a person’s dating preferences, banking information, password management, political affiliation.
Simply put, a complete list of installed apps can reveal a lot of clues about a person. More importantly, malicious code writers could gain valuable information to conduct social engineering attacks.
Starting from May 5th, 2021, Android app developers will have to provide a very good reason for why Google should let them access such information. The Sensitive tag would automatically activate if developers seek the ‘Query_All_Packages’ permission.
Google has set some obvious exceptions to the rule, and there’s some time for Android apps:
Starting May this year, apps can only use the ‘Query_All_Packages’ permission only if their “core user-facing functionality or purpose, requires broad visibility into installed apps on the user’s device.”
File managers, browsers, and antivirus apps need the data “for awareness or interoperability purposes”. Hence such apps would gain access to the permission. Additionally, banking apps, digital wallet apps, and any other app involve “financial transaction functionality”. Hence, they need the permission “for security-based purposes”.
Google to restrict Android apps from viewing other apps installed on the same device
Background why the change was made:https://t.co/8pu98xFHvz
— CK's Technology News (@CKsTechNews) April 2, 2021
Moving ahead, Google could start removing or restricting the availability of apps that do not have a valid and justifiable reason to access the permission. The Play Store owner is mandating all developers (who wish to keep access) to complete a declaration form justifying their use of it.
It is not clear why Google would keep such sensitive information open for all developers to simply reach and grab. Incidentally, even though Google has added the restriction this year, its effectiveness will reportedly come into play starting next year.
Google will block most apps targeting Android 11 or later from accessing the full list of apps installed on a device unless the app's core functionality relies on that information. https://t.co/4cjwtLxaXm
— Liliputing (@liliputingnews) April 2, 2021
Google has added the ‘Query_All_Packages’ permission in Android 11. Hence, it only applies to apps targeting Android 11’s API level, which is “API Level 30”. Needless to add, there aren’t many apps that qualify.
Once Android 11 is a year old, the Play Store will make API level 30 the minimum for updating apps. In other words, seeking Query_All_Packages permission will become mandatory starting next year.