A new IDAC investigation found that several prominent Android Software Development Kits (SDKs) are collecting lists of all the apps installed on a user’s device and sending these lists to third parties — companies outside of users’ reasonable expectations — potentially exposing personal information such as a user’s religious beliefs, gender, political affiliations, hobbies, sexual orientation, relationship status, disabilities, health conditions, and more. Companies can then use this information for intrusive behavior such as unwelcome targeted advertising practices.
The Google Play Store Developer Guide considers lists of installed apps as personal information and prohibits collecting such information without user notice and consent. However, the SDKs we observed do not collect or handle data in compliance with the Google Play Store’s terms. Additionally, app developers may not be aware that the SDK’s are engaging in this discreet and problematic behavior.
How It Works
An SDK is a set of code with a specific functionality that developers can use in their apps. When users install an app that includes one of these SDKs, the SDK discreetly operates in the background. Because the SDK is embedded within the app, users are unaware it’s there and cannot do anything to stop this behavior from occurring because they can’t determine which apps have leveraged this nefarious SDK.
Our team also learned that Android does not make an effort to implement access controls to protect this information from being shared with third parties. There are currently no access permissions that allow users the ability to control which third parties can access the list of apps on their phones. Instead, apps on Android devices are encouraged to consult with Android’s Package Manager to obtain the list of installed apps on users’ devices.
However, even if Android disables their Package Manager feature and discourages the practice, there are other ways to obtain these app lists. The fundamental problem is that, as demonstrated by Android’s support, this information was never intended to be kept protected in the first place. This is a clear example of SDKs knowingly taking advantage of access to information without user transparency or consent.
Collecting a list of a user’s downloaded apps may not seem intrusive and problematic at first glance, but these lists can reveal an enormity of personal information about that specific user. Knowing what apps a person uses can expose sensitive details. For example, we can infer a user’s religious beliefs (Bible App), gender (Period Calendar), political affiliations (Fox News), hobbies (SkiTracks), sexual orientation (Grindr), relationship status (Tinder), disabilities (My MS Diary), health conditions (Fitbit Coach), and more. One quick look at a list of a user’s apps can help companies generate a unique user profile for unwelcomed targeted advertising practices, proving this behavior to be intrusive.
Users are not aware this information is being gathered by using these apps nor have they provided informed consent to allow the discreet collection of such potentially personal information. Lastly, users have no insight into, and control over, which third parties receive their personal information.
What Should Users Do?
While users should practice good digital hygiene and place public pressure on Android to better protect this information, the responsibility to ensure that user personal information is not shared in this discreet manner falls on app developers and Google, not users.
Developers must be transparent about their data practices with third party SDKs. Rather than encourage this behavior, Google should take the necessary steps to implement controls that prevent this type of misconduct. Lastly, Google should work closely with developers to educate them about SDK misapplication, and subsequently hold them accountable for handling personal data responsibly. Discreetly collecting lists of all the apps users install exposes sensitive personal information, placing users at risk.