Google is making some new changes to the Developer Program Policy that will make it harder for apps to see what other apps are installed on your Android device. Google says it regards the full list of installed apps on a user’s device to be personal and sensitive information, and as such, will limit which apps can access this information. Specifically, Google will be restricting which apps can request the QUERY_ALL_PACKAGES permission which is currently required for apps targeting API level 30 (Android 11) and above that want to query the list of installed apps on a user’s device that runs Android 11 or later.
These moves by Google to make Android’s permission system less permissive is a welcome one. These changes don’t really restrict users in what kinds of access and permissions they can give applications if they choose to do so, but the default access levels applications get are getting more restrictive, which I think is a good thing.
As long as we can keep making different choices and grant the access we choose, all is well.
Thom Holwerda,
Sandbox mechanisms are very important and as long as the owner in control and has the ability to override it I think it’s good. Additionally, it’s google’s prerogative to choose what to allow in the app store, that doesn’t bother me so long as owners have a practical means of bypassing google if necessary. And thanks to sideloading on android, we do.
It does annoy me when google (or apple for that matter) gives itself privileged access. Like taking away the user’s ability to replace the default camera application, or restricting APIs that developers use to scan wifi networks (google eventually backed down, but it really sucks that their intention was just to deny owners control altogether). Or apple giving itself privileges over NFC and bluetooth functionality, which negatively effected things like 3rd party contact tracing.
Obviously it’s important to have security mechanisms in place to counteract abuse, but one size does not fit all here and I don’t want to see regressive changes that end up harming legitimate users and developers by forcing unwanted policies without an override. Like on windows,,,I’m very glad normal applications don’t have administrative access, but at the same time I don’t want microsoft asserting it’s policies to override my right to use administrative access and applications on my computers however I see fit.
Alfman, I agree, but this is a tough one.
I remember when Microsoft first implemented security controls on Windows and Internet Explorer. Applications were hard coded to think they ran as Administrator, and many failed initially. After a while developers relented. And for the rest Windows gave them a “fake” folder to play with under user’s home.
And users were heavily pushed by some vendors to enable their “so much precious apps”. “Please click on the yellow bar to enable our web site”. “You need to install this codec to watch our video”, “You need to download this attachment, and rename it to.exe”, and so on. They went on to going into step by step detailed instructions to bypass Windows built in security.
And I believe many users were duped into following them. After all “that precious content” whatever that is was hidden by this arbitrary barrier.
This is all for naught.
Check this app: https://play.google.com/store/apps/details?id=tester.app.permission.zero.zeropermissionapp
Android by default is leaking a metric ton of information about your device even if you grant no permissions to an app.
More permission flags is good, but as long as apps can notice that they are denied access, they will either refuse to run or indefinitely nag the user, making the privacy protection effectively unusable. What’s needed is a “return fake data” mode for every capability: Return a tailored list of installed apps, return an empty list of contacts, return a fake location, only show certain blutooth devices, etc. All configurable per-app, like current capabilities are.