Google is making it harder for Android apps to spy on each other

Android apps
(Image credit: Lukmanazis/Shutterstock)

Google is making a change to Android that will prevent apps from snooping on one another.

Taking effect May 5 and applying primarily to Android 11, the rule update bans most apps from using the new QUERY_ALL_PACKAGES permission, which reveals details about the other apps installed on a device. 

It's meant to stop apps from getting sensitive information or creating device profiles that can be used for advertising or even spying purposes.

The exceptions will be apps that need to see what's going on as part of their core functions, including antivirus apps, browsers, file managers and search apps. Digital-wallet and banking apps may be able to ask for temporary exceptions. 

These apps will have to declare that they are using this permission in their Google Play listings.

Google explained in a new notice to app developers that it "regards the device inventory of installed apps queried from a user's device as personal and sensitive information." 

Apps that request to use the QUERY_ALL_PACKAGES permission "must be able to sufficiently justify why a less intrusive method of app visibility will not sufficiently enable your app's policy-compliant user-facing core functionality."

Abusing a privilege

The QUERY_ALL_PACKAGES permission, introduced with Android 11, replaces and supersedes an older set of functions that apps have used to see details about the other apps installed on an Android device, Catalin Cimpanu at The Record explained. 

These functions were originally created to resolve compatibility issues, but they ended up being abused. Because they were functions and not permissions, the apps did not need to ask or even inform the user before doing so. 

A year-old research paper found that roughly 30% of commercial Android apps — including nearly 73% of games — used these functions to get information about the other apps installed on a device. 

Less than 3% of open-source Android apps did so. Many of the app queries were generated by third-party ad and utility code used by app developers, often without the knowledge of the developers themselves.

Although this change in theory affects only Android 11, estimated to be on only about 6% of Android devices in active use right now, XDA-Developers explained that it will become more or less mandatory in November when Google will require that all app development "target" Android 11 or later rather than earlier versions. 

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.