Android is a very capable and powerful operating system. Unlike its iOS nemesis, Android is much more flexible, and friendlier to most developers.
But that creates issues, especially in terms of user privacy. Android Apps tend to have more access to a device when they are installed, if compared to iOS that requires them to be sandboxed.
But Google is trying to improve the operating system, in each new versions.
And starting Android 11, the Query_All_Packages
permission will be flagged as "sensitive" on the Play Store.
What this means, Google's reviewing process will restrict the permission only to those apps Google feels really need it.
Query_All_Packages
essentially grants an app to read users' entire app list. This can contain all sorts of sensitive information, including dating preferences, banking information, password management, political affiliation and much more.
This is why it makes good sense for Google to simply lock this permission down.
On a support page, Google announced that:
On Android, apps that are meant to purpose the launch, search, or interoperate with other apps on the device, may obtain scope-appropriate visibility to other installed apps on the device through what Google calls the Package Visibility.
For example, the Broad App Visibility is allowing apps to have extensive (or “broad”) visibility of the installed apps (“packages”) on a device. This can be done through the QUERY_ALL_PACKAGES
.
With the update, apps may not use permission if they can operate with a more targeted scoped package visibility declaration.
Using alternative methods to approximate the broad visibility level associated with this permission is also restricted to user-facing core app functionality and interoperability with any apps discovered via this method.
The second way, is by using the Limited App Visibility, which is when apps minimize their access to data by querying for specific apps using more targeted (instead of “broad”) methods.
Developers may use this method to query for apps in cases where their app has policy compliant interoperability, or management of these apps.
In another blog post, Google said that the QUERY_ALL_PACKAGES
permission only takes effect when apps target Android API level 30 or later on devices running Android 11 or later.
On the post, Google listed some allowable use cases of Play Store apps querying for users' app list.
The apps include "device search, antivirus apps, file managers, and browsers," with Google adding that "apps that must discover any and all installed apps on the device, for awareness or interoperability purposes may have eligibility for the permission."
There's also an exception for financial apps like banking apps and P2P wallets, which Google said that "may obtain broad visibility into installed apps solely for security-based purposes."
Google's update policy also stated that "[a]pp inventory data queried from Play-distributed apps may never be sold nor shared for analytics or ads monetization purposes."
Besides this app package list restriction, Google Play Store also flags several other APIs as "sensitive," subjecting them to a closer review and requiring developers to justify their use. Apps using the powerful accessibility APIs, background location APIs, SMS and phone apps, and full file access APIs are all subject to Google's individual approval.