Skip to content

Major Indian apps bypass Google’s policy to view app drawer

  • by
  • 3 min read

Most of the major Android apps on the Google Play Store access the sensitive data of a list of applications on your Android system, said Prashant Baid, an Internet Researcher and Software Consultant at a UK-based startup. In his report, he stated that the apps bypass Google’s privacy policies to gain access to private data.

Apps such as Swiggy, JioHotstar, BookMyShow, Instamart, Meesho, Zepto, KreditBee, Axis Bank and LUDO King are just some of the apps among the many applications that look into your device’s app drawer. The applications likely need data of the list of apps for its, “core functionality.” However, if the access to the list of apps is not for core functionality, it violates Google’s privacy protection policy which would lead to, “either suspension of the app and/or termination of the developer account,” as stated by Google’s privacy policies.

An investigation into the list of apps under surveillance revealed a possibility of fingerprinting and user profiling. Google lets an app check for specific apps only if its core functionality is affected by the lack of access to the app list or a specific list of apps it needs to check for. An example of such a case would be an antivirus app that needs to access the full list of installed apps to scan for malware.

Baid, who also goes by Pea Bee on Substack, found that apps whose core functionality is not dependent on apps listed in their Manifest files are extracting data without the user’s consent.

This is an image of list of apps zepto driver app taken from pea bee on substack
The list of apps that the Zepto app for delivery drivers checks for. | Source: Pea Bee on Substack

App developers have likely found a more crafty method to access installed applications besides package queries. Every app that has a main screen or interface and runs in the foreground can be detected by using a, “ACTION_MAIN” filter in the manifest configuration. Baid created a demo app to verify the methodology and said, “When I queried for installed packages, just as expected, this little hack returned a list of all the apps on my phone!!!”

Among Indian apps, 31 out of 47 analysed apps used the workaround to get the full list of installed applications. “I’m surprised KreditBee and Moneyview apps passed the Play Store’s review. Play Store policy explicitly restricts personal loan apps from using the QUERY_ALL_PACKAGES permission,” Baid said.

“But these apps are bypassing this restriction by individually listing every app they want to detect in their manifest file instead.” Knowing the list of apps on every individuals device allows user data to be categorised which in turn leads to user profiling.

In the News: Ivanti patches actively exploited vulnerability

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

Related Reads

This is an image of scam call featured 1

China jails 9 for scamming over 66,000 Indians

What is a hack? 9 different types of hackers you must know about

SpyNote malware targets users through fake android apps

This is an image of meta fb oculus workspace whatsapp messenger instagram

Ex-employee reveals Meta offered US user data to enter China

This is an image of wordpress featured 9924

WordPress plugin with over 100,000 installations under active exploitation

This is an image of microsoft featured 13211

Microsoft 365 Family users denied service due to licensing glitch

  • by
  • In News
This is an image of surveillance security privacy 89892

Pharmacist sued for spying on female cowokers via webcams

>