API Backdoor Exposes Android Users' Sensitive Data

A recent research paper reports that a set of Android APIs called Installed Application Methods (IAMs) are exposing Android users' sensitive information to advertisers. IAMs have a legitimate purpose. They were designed for developers to use to check compatibility issues when apps are launched on certain devices. However, IAMs can be abused to retrieve a list of other apps installed on the device which can help advertisers infer certain information (e.g. religion, gender, etc.)

The report uncovered the abuse by finding that more than 4,200 apps on the Google Play Store use IAMs only to recover a list of apps on the device and not for diagnostic purposes. Of 22,000 apps analyzed, the researchers found that around 30% of those listed on Google Play were abusing IAMs in this manner.

Specifically, abusive use of IAMs calls the API for packageName and no other API functions. PackageName retrieves other apps installed on a device but has no other diagnostic value. Apps utilizing this abusive behavior were most commonly found in games and comics apps. However, the researchers found examples in every category of app.

Another study on this same subject indicated that a user's list of apps could predict gender with 82% accuracy, age with 77% accuracy, and marital status with 72% accuracy. The researchers have suggested fixes for this backdoor that it urges Google to include in Android 11 (due out later this year). Google has already expressed the potential to require user consent to retrieve app lists through IAMs.

Be sure to read the next Security article: Pastebin Abruptly Discontinues Scraping API