Until a few years ago, any app you installed on an Android device could see all other apps on your phone without your permission.
Since 2022, with Android 11, Google removed this access from app developers. Under their new package visibility policy, apps should only see other installed apps if it’s essential to their core functionality. Developers must also explicitly declare these apps in the AndroidManifest.xml file - a required configuration file for all Android apps.
So I downloaded a few dozen Indian apps I could think of on top of my head and started reading their manifest files. Surely they will be respectful of my privacy and will only query apps essential to their app’s core functionality? 🙃
The Hackernews thread on this discusses how this has been known for years and hasn’t been fixed by Google
It’s a feature.
I developed a Unity Plugin to utilize this. Was really good to see if another one of your own apps was installed
Would GrapheneOS have protections against this ?
Somewhat in progress: https://grapheneos.social/@GrapheneOS/113973056128380064
EDIT: wrong link, didn’t fully flesh out the thought, and more. I deserve the downvote!
–
There are on-going efforts to create what is know as App Communication Scopes in GrapheneOS, which covers similar ground to their Storage Scopes and Contacts Scopes. It’s been a WIP for while, though.
Can you explain? Not saying you’re wrong but that short paragraph does not seem to address the contents of this posts’s article.
Oops! I shared the wrong link, and also meant to say ‘Somewhat in progress.’ Explains why I got downvoted.
There are on-going efforts to create what is know as App Communication Scopes in GrapheneOS, which covers similar ground to their Storage Scopes and Contacts Scopes. It’s been a WIP for while, though.
Thanks that makes more sense. But I’ll believe it when it’s implemented.
It is very hard to implement properly
This is the problem with Android; the whole OS is built for Google and they have no interest in making this sort of thing easy. Building apps or end user stuff, sure, but fiddling around with its core functionality is not supported.
Good question, I’d like to know too.
Seems like a simple 5 app limit on what developers can query should be sufficient. Also seems like this should be something users should be allowed to disable completely - at worst you can an error when an app can’t locate a dependency. I admit to not knowing about this and find the vulnerability disturbing.
It’s not a vulnerability - it’s part of the system. Google Play store reviews apps and thus implicitly allows such behavior. It’s not just in the manifest or permissions either, data collection is rampant in apps and how could it not since that is the whole purpose of all Alphabet products.
Yes. A bit tounge in cheek, because it makes me feel vulnerable.
Android used to allow read access to the entire filesystem…
What’s the situation on iPhone?
I have a shitty tracking app I have to use, I have it in the work profile with shelter, AFAIK that keeps it siloed from my regular apps
What is this profile siloing you speak of?
“work profile” “work apps”
I haven’t really looked into how it works, but it’s supposed to keep the apps in the work profile separate. I use it because our time clock app is a privacy nightmare and I can completely disable it with one click when I’m not working.
I use an app from F-Droid called Shelter.
Android & Googleverse is a cancer that permeates way more than just the OS or browser.
May I ask what phone OS you use if not Android or Android based?
Also, could you explain what the “different Indias” are?
Not on my Graphene OS phone.
Seems that is not true. Apps will see inside profiles as far as I know.
“Graphene is perfect in every way and everyone should use it”
