this post was submitted on 30 Mar 2025

154 points (98.7% liked)

Privacy

5662 readers

11 users here now

A community for Lemmy users interested in privacy

Rules:

Be civil
No spam posting
Keep posts on-topic
No trolling

founded 2 years ago

MODERATORS

iopq@lemmy.world

154

Everyone knows all the apps on your phone (peabee.substack.com)

submitted 2 days ago* (last edited 2 days ago) by Ninjazzon@infosec.pub to c/privacy@lemmy.world

20 comments fedilink hide all child comments

Until a few years ago, any app you installed on an Android device could see all other apps on your phone without your permission.

Since 2022, with Android 11, Google removed this access from app developers. Under their new package visibility policy, apps should only see other installed apps if it’s essential to their core functionality. Developers must also explicitly declare these apps in the AndroidManifest.xml file - a required configuration file for all Android apps.

So I downloaded a few dozen Indian apps I could think of on top of my head and started reading their manifest files. Surely they will be respectful of my privacy and will only query apps essential to their app's core functionality? 🙃

top 20 comments

sorted by: hot top controversial new old

[–] Aurelius@lemmy.world 38 points 2 days ago (2 children)

The Hackernews thread on this discusses how this has been known for years and hasn’t been fixed by Google

[–] brucethemoose@lemmy.world 13 points 2 days ago

It’s a feature.

[–] the16bitgamer@programming.dev 7 points 1 day ago

I developed a Unity Plugin to utilize this. Was really good to see if another one of your own apps was installed

[–] jagged_circle@feddit.nl 19 points 2 days ago (1 children)

The worst part about Android is that I, as the owner of the device, can't deny permissions to apps at this granular of a level.

There should be a setting for enabling or disabling every single system call under the "advanced" permissions menu for each app.

SE Linux my ass.

[–] pinball_wizard@lemmy.zip 8 points 1 day ago (1 children)

There should be a setting for enabling or disabling every single system call under the "advanced" permissions menu for each app.

That's what GrapheneOS adds.

It's interesting that Google hasn't merged those features back into Android, itself.

[–] jagged_circle@feddit.nl 2 points 1 day ago

Did they open a PR?

[–] Imgonnatrythis@sh.itjust.works 11 points 2 days ago (2 children)

Seems like a simple 5 app limit on what developers can query should be sufficient. Also seems like this should be something users should be allowed to disable completely - at worst you can an error when an app can't locate a dependency. I admit to not knowing about this and find the vulnerability disturbing.

[–] A_norny_mousse@feddit.org 13 points 2 days ago (1 children)

It's not a vulnerability - it's part of the system. Google Play store reviews apps and thus implicitly allows such behavior. It's not just in the manifest or permissions either, data collection is rampant in apps and how could it not since that is the whole purpose of all Alphabet products.

[–] Imgonnatrythis@sh.itjust.works 5 points 2 days ago

Yes. A bit tounge in cheek, because it makes me feel vulnerable.

[–] possiblylinux127@lemmy.zip 6 points 1 day ago

Android used to allow read access to the entire filesystem...

[–] calisti@lemmy.blahaj.zone 4 points 2 days ago

What’s the situation on iPhone?

[–] A_norny_mousse@feddit.org 3 points 2 days ago (1 children)

Android & Googleverse is a cancer that permeates way more than just the OS or browser.

May I ask what phone OS you use if not Android or Android based?

Also, could you explain what the "different Indias" are?

[–] jagged_circle@feddit.nl 3 points 2 days ago

Debian. Pine Phone.

[–] rc__buggy@sh.itjust.works 2 points 2 days ago (1 children)

I have a shitty tracking app I have to use, I have it in the work profile with shelter, AFAIK that keeps it siloed from my regular apps

[–] Manalith@midwest.social 4 points 1 day ago (2 children)

What is this profile siloing you speak of?

[–] possiblylinux127@lemmy.zip 4 points 1 day ago

https://f-droid.org/packages/net.typeblog.shelter

[–] rc__buggy@sh.itjust.works 2 points 1 day ago

"work profile" "work apps"

I haven't really looked into how it works, but it's supposed to keep the apps in the work profile separate. I use it because our time clock app is a privacy nightmare and I can completely disable it with one click when I'm not working.

I use an app from F-Droid called Shelter.

[–] Geodad@lemm.ee 0 points 2 days ago (2 children)

Not on my Graphene OS phone.

[–] passenger@lemm.ee 4 points 2 days ago* (last edited 2 days ago)

Seems that is not true. Apps will see inside profiles as far as I know.

[–] possiblylinux127@lemmy.zip -1 points 1 day ago

"Graphene is perfect in every way and everyone should use it"