In an in-depth research report published recently, a huge privacy risk in Android was discovered by the researchers. It was found that Android apps use Google’s IAMs (Installed Application Methods) to get a list of other apps that are installed in a user’s device.
Now, you must have a lot of questions now. Like, “What are IAMs?” Or “what can the developers do with the list of apps that I use?”. Well, let me enlighten you.
Initially, Google created the Installed Application Methods (IAMs), a set of Android OS API calls (basically codes within Android), to enable developers to get specific data about the other apps in a user’s device to check for incompatibilities or improve their own applications by tweaking some features.
However, in the research, it was found that some of the Android apps make wrong use of these API calls and gather a list of users’ installed apps to sell it to advertisers. By analysing the other installed apps in a user’s smartphone, an advertiser can get a lot of information like the user’s gender, religious beliefs, languages he/she speaks or the age group. So, this poses a huge privacy risk for Android users.
Now, the research was conducted by four academics from Italy, Netherlands and Switzerland. In this process, the researchers analysed thousands of popular Android apps and their codes and looked for IAM API calls. They took exactly 14,342 Android apps from the top categories of the Play Store and another set of 7,886 apps whose source codes were published online.
After analysing these apps, it was found that over 4,214 out of the 14,342 apps use the IAM calls within their code. This makes it over 30% of the top apps. Now, for the ones whose source code were already published online, only 2.89% use the said API calls.
Now, the worst part of this is that users can’t even protect themselves from this privacy risk as IAM-based fingerprinting are “silent methods”. This essentially means that the apps that use these API calls do not need your permission to run the codes in your device. Sometimes, IAM calls are even executed without the developers’ knowledge.
The research paper, “Leave my Apps Alone! A Study on how Android Developers Access Installed Apps on Users’ Device”, will be presented by the researchers at the MOBILESoft 2020 in South Korea. You can check out the report for an in-depth view on the topic.