Google has introduced one other privateness restriction for Play Retailer apps. Beginning this summer season, Android 11’s new Query_All_Packages permission will probably be flagged as “sensitive” on the Play Retailer, that means Google’s evaluate course of will limit it to apps the corporate feels actually need it. Query_All_Packages lets an app learn your total app checklist, which may include all types of delicate data, like your courting preferences, banking data, password administration, political affiliation, and extra, so it is smart to lock it down.
On a assist web page, Google introduced, “Apps which have a core objective to launch, search, or interoperate with different apps on the machine could receive scope-appropriate visibility to different put in apps on the machine.” Google has another page that lists allowable use instances for Play Retailer apps querying your app checklist, together with “machine search, antivirus apps, file managers, and browsers.” The web page provides that “apps that should uncover any and all put in apps on the machine, for consciousness or interoperability functions could have eligibility for the permission.” For apps that should work together with different apps, Google needs builders to make use of extra scoped app-discovery APIs (as an example, all apps that assist x function) as a substitute of simply pulling the whole app checklist.
There’s additionally an exception for monetary apps like banking apps and P2P wallets, which the web page says “could receive broad visibility into put in apps solely for security-based functions.” We assume this implies scanning for root apps. The brand new coverage additionally states that “[a]pp stock information queried from Play-distributed apps could by no means be bought nor shared for analytics or advertisements monetization functions.”
Our retailer, our guidelines
Utilizing the Play Retailer as a developer management floor is a reasonably new tactic for Google. Positive, Google has full management over the OS and might use that management to drive privateness restrictions for all apps, however whenever you simply need to have an effect on some apps, pushing out a Play Retailer app evaluate restriction offers Google extra fine-grained management over permission utilization insurance policies. The Play Retailer is the one universally default (apart from China) Android app retailer, and it is the first place most individuals get apps, so Play Retailer guidelines let Google construct thicker partitions round its walled backyard whereas additionally giving builders an opportunity to argue for his or her particular person use instances. If end-users don’t love the foundations, they get a sideloading and alternative-app-store escape hatch, which you would not get with an OS-based permission restriction.
Moreover this app package deal checklist restriction, the Play Retailer additionally flags several other APIs as “delicate,” subjecting them to a more in-depth evaluate and requiring particular person builders to justify their use. Apps utilizing the highly effective accessibility APIs, background location APIs, SMS and phone apps, and full file entry APIs are all topic to Google’s particular person approval.
Different present Play Retailer restrictions embrace a rolling minimal API-level coverage that mandates new and updating apps cannot use an API degree older than one 12 months. API ranges are the principle means Android manages backward compatibility. New restrictions and options for every model of Android usually solely apply to apps concentrating on that API degree, so nothing breaks. As an illustration, the permissions system solely applies to apps concentrating on API degree 23 (Android 6.0) and up—older apps haven’t any permission restrictions. When used maliciously, you could possibly simply goal an historical API degree to ship an app with extra entry to the system, however the Play Retailer coverage to simply block any submissions on older API ranges prevents this.
At this time’s restriction is a good instance: The Query_All_Packages permission was added in Android 11, so it solely applies to apps concentrating on Android 11’s API degree, which is “API Stage 30.” The Play Retailer’s restrictions, naturally, additionally solely apply to apps concentrating on API degree 30 and up, which most likely is not many apps proper now. Shortly after Android 11 is one 12 months outdated, although (in November 2021), the Play Retailer will make API degree 30 the minimal API degree for updating apps, so the permission and the brand new restrictions will apply to each presently maintained app within the retailer.