IN A NUTSHELL:
- Researchers have tested the IAM function included in the Android API;
- In their opinion, this mechanism is a threat to users' privacy;
- The IAM is often used to collect information that can be used to targeted ads, for example.
The Android operating system has a little-known feature that can threaten users' privacy. It allows companies to find out what applications a person has installed on their smartphone. What's more, corporations are very keen to take advantage of this feature. The source of the information is a report prepared by four researchers from Switzerland, Italy and the Netherlands.
The source of the problem is a set of API (Application Programming Interface) instructions called Installed Application Methods (IAM), which are often used by developers of various apps. It enables them to detect conflicts with other software that could result in incompatibility. Researchers have tested a total of over twenty thousand applications and as many as 30.29% of them use IAM.
Knowledge of the applications installed on the phone may seem harmless, but this type of data can be used to draw a number of useful information, e.g. when targeting ads (personalizing them in a way that better suits the user). These include details of interests, race, gender or known languages. To make matters worse, the phone owner has no influence on the IAM's operation - thay cannot, for example, refuse to send the data in question. So-called IAM queries can even be directed by a company without the knowledge of the developer of a given application - it is enough that it uses a specific function (e.g. an analytical package or an advertising library).
As you can guess, many entities use this options. How many? Suffice it to say that almost half of the queries addressed to the IAM concern the list of installed applications. This means that these instructions are most often used for collecting information and not for debugging. This is evidenced by the fact that queries most often concern commercial programs and are linked to additional libraries, not the code of the software itself.
Researchers have compiled their report stating that the IAM has become a tool for collecting information about users. The researchers recommend that Google should limit the functionality of this API element - preferably by allowing the smartphone owner to make a choice in this regard, by displaying a classic access request.
- Android - official website
- Leave my Apps Alone! A Study on how Android Developers Access Installed Apps on User's Device report