A research paper published this week has analyzed the current usage of a lesser-known feature of the Android operating system that could be a danger to user privacy.
The study found that many of today's top Android apps make use of IAMs (Installed Application Methods), a set of Android OS API calls that allow app developers to get a list of other applications installed on the device.
Google initially created these API calls[1, 2] to allow developers to detect app incompatibilities or fine-tune interactions with other apps. However, the study published this week suggests that IAMs are also being used to track and fingerprint users, posing a palpable privacy risk.
The danger to user privacy comes from the fact that an advertiser could infer interests and personal traits (gender, spoken languages, religious beliefs, age groups) by analyzing a user's list of installed applications.
In addition, there is also the issue that users can't protect themselves against IAM-based fingerprinting. This is because IAM calls are "silent methods," meaning that an app does not need to ask the user for permission before it executes.
Furthermore, many IAM calls are also executed without the app developer's knowledge. If an app supports an analytics package or an advertising library, researchers found that many of these ran silent IAM API calls without the app developer being aware this was happening.
More details about this research are available in a research paper titled "Leave my Apps Alone! A Study on how Android Developers Access Installed Apps on User's Device," set to be presented this fall at the MOBILESoft 2020 conference in Seoul, South Korea.