A research paper published this week has analyzed the current usage of a lesser-known feature of the Android operating system that could be a danger to user privacy.
The study found that many of today’s top Android apps make use of IAMs (Installed Application Methods), a set of Android OS API calls that allow app developers to get a list of other applications installed on the device.
Google initially created these API calls[1, 2] to allow developers to detect app incompatibilities or fine-tune interactions with other apps. However, the study published this week suggests that IAMs are also being used to track and fingerprint users, posing a palpable privacy risk.
The danger to user privacy comes from the fact that an advertiser could infer interests and personal traits (gender, spoken languages, religious beliefs, age groups) by analyzing a user’s list of installed applications.
In addition, there is also the issue that users can’t protect themselves against IAM-based fingerprinting. This is because IAM calls are “silent methods,” meaning that an app does not need to ask the user for permission before it executes.
Furthermore, many IAM calls are also executed without the app developer’s knowledge. If an app supports an analytics package or an advertising library, researchers found that many of these ran silent IAM API calls without the app developer being aware this was happening.
Analyzing thousands of apps
The research paper published this week looked at all these angles and quantified IAM usage stats in the Android ecosystem for the first time.
This monumental task was carried out by a team of four academics from universities in Switzerland, Italy, and the Netherlands. The research team said it analyzed thousands of Android apps and their respective code, looking for IAM API calls, regardless of their location — the app’s code or a third-party library.
Researchers said they analyzed 14,342 Android apps published in the top categories of the Google Play Store and another set of 7,886 Android applications that had their source code published online.
According to the research team, usage of IAMs is quite common in commercial apps, with 30.29% (4,214) of the Play Store apps making IAM calls within their code. For open-source apps, this number was only at 2.89% (228 apps).
But the research team didn’t just study which apps made IAM calls, but they also looked at what IAM call each app was making in an attempt to understand how and what app developers were trying to achieve through this feature.
The table below speaks volumes.
It shows that almost half of all recorded IAM calls found inside both Play Store and open-source apps were for the packageName IAM call, which retrieves a list of locally installed apps.
All the other IAM calls had a usage percentage of less than 15%, with most being under 1%. Most of these are IAM calls for technical app details, such as signatures, app versions, last update times, or SDK version numbers.
Such calls are often used to debug apps — the primary goal and reason why the IAM API was created in the first place.
However, the high number of queries for the packageName IAM suggests that many apps are getting a list of locally installed apps, and then doing nothing else — indicating a “collection” type of behavior on the part of those apps.
This discovery that IAM calls are most likely used for data collection rather than actual debugging was later confirmed when the research team also looked at the location of the code that executed the IAM call.
What researchers found was that most IAM calls were originating from third-party libraries added to apps, rather than the apps themselves.
“A total of 7,538 and 287 calls to IAMs were detected in commercial and open-source apps respectively (some apps perform more than one call),” the research team said.
“Usages of IAMs in included libraries appear to be more common in commercial apps, where 6,306 (83.66%) of detected calls are performed in code belonging to libraries, while the remaining 1,232 (16.34%) are performed in the apps’ own code,” researchers said. “Concerning open-source apps, 178 usages (62.02%) are performed from bundled libraries while remaining 109 (37.98%) belong to the apps’ own code.”
According to the research team, more than a third of the third-party libraries that they discovered running IAM calls were used for advertising purposes, confirming that IAM calls are now being used as a user data collection mechanism.
A follow-up questionnaire with 70 app developers also found that many developers weren’t even aware that the third-party libraries they used in their apps were performing IAM calls.
“We were not aware that it was used at all,” said one of the developers who answered researchers and completed the questionnaire.
“We aren’t using it. Third-party API? If you can tell me which one I’ll remove it,” said another.
Going forward, the research team urges Google to restrict the use of IAM API calls. According to the research team, the best-case scenario would be if Google would put IAM calls under a permission request. Permissions requests are popups that ask the user if an app is allowed to take an action — in this case, allow the app to retrieve a list of all of their other apps.
More details about this research are available in a research paper titled “Leave my Apps Alone! A Study on how Android Developers Access Installed Apps on User’s Device,” set to be presented this fall at the MOBILESoft 2020 conference in Seoul, South Korea.