Google Quietly Cuts Access to API Exposing Sensitive User Data

Google is cracking down on app publishers’ use of the Query_All_Packages API, which lets developers see all the apps on someone's phone, access that has long concerned privacy advocates but is exacerbated in a post-Roe world. Starting July 20, Android app developers that use the API must submit a declaration for why they’re using it in order to carry out routine app updates, according to a blog post. Apps that fail to submit a declaration, or do not meet Google’s policies, risk being removed from Google Play. Only apps that need to know what other apps are on the user’s phone to perform their function, such as a productivity app, will be granted access. The API has long been a concern of consumer privacy advocates; knowing what apps people have on their phones could incriminate them. The more individuals that have access to this data, the greater the risk, said privacy researcher Zach Edwards. Having the Whisper app might implicate someone sharing negative information about their employer, for example, Edwards said. Having gay dating app Grindr could be dangerous in countries where homosexuality is illegal. And, having one of many Planned Parenthood apps could be incriminating in U.S. states where abortion is illegal. People’s digital data trails—and the companies that traffic and sell access to user data—have been under increased scrutiny after the Supreme Court overturned the federal right to abortion last month. Google in particular, as one of the country’s largest stewards of consumer data, has been under pressure: indeed, a group of congresspeople asked Google to stop collecting and retaining unnecessary customer location data in a public letter. Google said Friday it would delete the location data for people who visited abortion centers—and a slew of other medical facilities. The company's restriction of the Query_All_Packages API is not inherently related to Roe v. Wade, however, as the tech giant first said it would restrict access in early 2021. The company has pushed back its enforcement deadline several times. As recently as this weekend, the blog post said the deadline was July 12. Now the post says July 20. “In March 2021, we announced that we planned to restrict access to this permission, so that only utility apps—such as device search, antivirus, and file manager apps—can see what other apps are installed on a phone," a Google spokesperson said. “Based on developer feedback and Covid-19-related considerations, we granted a one-time extension later that year to the policy enforcement timeline to give developers the time they needed to update their apps.” Anyone Can Buy Ads Programmatically. That Presents Risks in a Post-Roe World Use (and potential abuse) of Query_All_Packages Like most sources of data leakage, Query_All_Packages’ roots are not nefarious. Having a complete picture of a user’s apps is useful for advertisers’ targeting efforts. “If you’re a heavy gamer and you have plenty of casual games on your phone, then maybe the likelihood of you developing the 22nd [gaming] app is high,” said Ana Milicevic, co-founder of programmatic consultancy Sparrow Advisors. “If all you have is Candy Crush, maybe you’re not such a smart buy from me.” While beneficial to advertisers, there isn’t a clear use case for Query_All_Packages for app publishers, save for those who need to know a user’s apps to function, and will be spared from Google’s restrictions, said Katie Madding, chief product officer of mobile ad-tech company Adjust. In fact, the API can be used by fraudsters to bogusly link ad clicks and app downloads, a practice known as click injection, Madding said. Advertisers also can use a unique combination of apps to identify someone, which is valuable as Apple’s mobile identifiers and cookies are disappearing. Computer science research found that a person’s list of apps was a reliable predictor of demographic data. The issue is that none of it is enforced.Serge Egelman, a researcher at the International Computer Science Institute Even if those who harvest this kind of data don’t have sinister aims, it can easily end up in the hands of those who do, sources say. Mobile apps routinely strike private deals with data brokers who sell data to anyone who will pay for it, often without user knowledge. Cell phone data sold commercially showed that a priest used Grindr and visited gay bars, which ultimately led him to vacate his post. “The point is that it’s a very opaque ecosystem and it's impossible for consumers and regulators to determine how the data is going to be used,” said Serge Egelman, a researcher at the International Computer Science Institute, which is affiliated with University of California, Berkley. GDPR concerns and lack of enforcement Unchecked, the API’s power to identify users and share sensitive data could violate the EU’s General Data Protection Regulation, said Aurélie Pols, who advises the European Commission on digital privacy. “Our personal data is not a property,” Pols said. The worst use cases of Query_All_Packages data being sold to a bad actor were always prohibited by Android, which forbids collecting app inventory data to sell or share for analytics or ads monetization, a Google spokesperson said. Yet Google does not always proactively enforce this rule and other policies, Egelman said, citing his own research. “The issue is that none of it is enforced,” Egelman said, noting these new restrictions will close one of many existing loopholes. “Google doesn’t do proactive checking on whether apps adhere with all of their policies.” Correction: An earlier version of this article stated that the Query_All_Packages API can be used to curtail ad fraud. The API actually can be used by bad actors to facilitate ad fraud, according to Madding.