Thousands of Android apps know what apps are on your smartphone

Based on this data, it is possible to create a profile, which puts our privacy at stake. It is all described in the research report 'Leave my Apps Alone! A Study on how Android Developers Access Installed Apps on User's Device'.

API

A quick look up what time the train leaves, what the fastest route to your destination is, or ordering a bunch of flowers. Apps come in all kinds and make our lives easier. Not for nothing do smartphone users have an average of 60 apps on their phones. And most apps "talk" to each other with programs called APIs.

What an Application Programming Interface or API is is most easily explained using a metaphor. Suppose you are in a restaurant and want to order food. Your order must then reach the chef in the kitchen, who prepares the dish for you. You then need a line of communication between you and the kitchen. In this case, that's the waiter, or API. Apps work the same way. If you have read a review about a restaurant and want to pass the address to a navigation app, you need to communicate between the two apps. That is done with an API.

In a nutshell, APIs allow traffic between developers of different apps to provide a better user experience. Users often have no notion of this: after all, they do not have to give explicit permission for this, nor are they actively informed about it. Apps "talk" to each other to exchange data, and for most this is sufficient. Others are less keen on this and fear that their privacy is at stake.

Research results

That users are unaware of the existence and operation of APIs is what the researchers call Installed Application Methods, or IAM for short. In their paper, they argue that until now there had been no empirical research on how Android developers use IAM to gather information about users. The researchers aim to fill this gap. They examined 14,342 Android apps available for free download from the Google Play Store and 7,886 so-called open-source Android applications (apps you can install on your smartphone outside the Play Store).

The study shows that the deployment of IAM is quite common among commercial apps. Three in 10 apps in this category (30 percent) deploy IAM to gather information about their users. "Commercial apps" is a broad category that includes games, cars and events. Among open-source apps, that share is considerably lower, at 2.89 percent.

The researchers obviously looked at what information developers collect with IAM. Both apps from the Google Play Store and open-source applications widely collect data packets labeled packageName. That means apps transmit data about which apps a person has installed on his or her smartphone. Nearly half of all apps surveyed in both categories covertly collect this information. Other variables typically forwarded include dates on which apps are installed, app versions and when someone last updated apps.

Not informed

The researchers not only looked at more than 14,000 apps, but also sent questionnaires to Android developers. In this way, they wanted to chart the extent to which developers intentionally collect personal data through IAM. In total, the researchers received 70 fully and correctly completed questionnaires. This shows that most developers are not always aware of data collection practices. The code used for this purpose often comes from software libraries and APIs of third parties, such as advertisers. It is therefore obvious that this data is used to build profiles.

In their paper, the researchers argue that some adjustments to the Android platform are in order. Users should be clearly warned before installing an app that data will be collected for profiling. They must then consent to this if they want to use the app. Refusing this consent should also be an option. Whether Google will implement these proposals anytime soon remains to be seen. After all, the search giant does not label this data as sensitive, which puts it outside the permissions system introduced in 2015.

This news item can also be found in the Information Security file