The applications installed on your Android phone could be giving advertisers information on your age, gender, language, and personal beliefs through tools that were initially designed to aid developers.
Android, like other manufacturers, supply third-party developers with tools to help them create their applications. These tools, like Android Studio or ADB, help developers work with the operating systems in ways inaccessible to the average user. Developers can work with Apple OS as they want with these tools, but to have their apps featured on the Google Play store, they have to obey Google's policies.
In a recent research paper by academics in Italy, Switzerland, and The Netherlands, it was found that Android’s IAMs (Installed Application Methods) could be used to gather information on the user from the other applications found on their device. IAMs are Android tools intended to help developers find incompatibilities between apps. Due to this, their usage is extremely common. For example, the research team found that of the roughly fourteen thousand of the highest-ranking apps on the Google Play store, four thousand of them used IAMs.
Android Apps Spy On Other Apps
The paper noted that while IAMs were found in many of the apps they inspected, IAMs have two methods of gathering information, and the type of call made is related to the data provided. The first method sends a request for application information, often used for debugging. The second method sends out a call for package information; this can call up a list of apps installed on the device and other types of meta-data, which can then be used to infer things about the user. Researchers wrote, “using a single snapshot of a user’s installed apps, their gender can be instantly predicted with an accuracy around 70%, by training a classifier using established supervised learning techniques.” Both methods don’t require specific permissions from the user, due to them not being registered as sensitive functions.
The research team also looked at the number and types of IAM calls and found that of the queries made, almost 50% of them were for the listing packageName, suggesting that many developers used IAMs to collect user data from their installed applications. Android likely didn’t expect the tool would be used in this manner, as it's intended to help developers debug their applications. IAMs are currently being abused to gather information on users without their consent, information that advertisers or the developers can use to alter the user’s experience. As a result Android should mark IAMs as sensitive functions so that users stay in control of their online privacy.
Source: Ivano Malavolta