Google has introduced one other privateness restriction for Play Store apps. Starting this summer time, Android 11’s new Query_All_Packages permission will probably be flagged as “sensitive” on the Play Store, that means Google’s evaluation course of will limit it to apps the corporate feels actually need it. Query_All_Packages lets an app learn your entire app list, which might include all types of delicate info, like your relationship preferences, banking info, password administration, political affiliation, and extra, so it is sensible to lock it down.
On a assist web page, Google introduced, “Apps which have a core objective to launch, search, or interoperate with different apps on the system could get hold of scope-appropriate visibility to different put in apps on the system.” Google has another page that lists allowable use instances for Play Store apps querying your app list, together with “system search, antivirus apps, file managers, and browsers.” The web page provides that “apps that should uncover any and all put in apps on the system, for consciousness or interoperability functions could have eligibility for the permission.” For apps that should work together with different apps, Google desires builders to make use of extra scoped app-discovery APIs (for example, all apps that assist x function) as an alternative of simply pulling the entire app list.
There’s additionally an exception for monetary apps like banking apps and P2P wallets, which the web page says “could get hold of broad visibility into put in apps solely for security-based functions.” We assume this implies scanning for root apps. The new coverage additionally states that “[a]pp stock information queried from Play-distributed apps could by no means be bought nor shared for analytics or adverts monetization functions.”
Our retailer, our rules
Using the Play Store as a developer management floor is a reasonably new tactic for Google. Sure, Google has full management over the OS and might use that management to power privateness restrictions for all apps, however once you simply need to have an effect on some apps, pushing out a Play Store app evaluation restriction offers Google extra fine-grained management over permission utilization insurance policies. The Play Store is the one universally default (apart from China) Android app retailer, and it is the first place most individuals get apps, so Play Store rules let Google construct thicker partitions round its walled backyard whereas additionally giving builders an opportunity to argue for his or her particular person use instances. If end-users do not just like the rules, they get a sideloading and alternative-app-store escape hatch, which you would not get with an OS-based permission restriction.
Besides this app bundle list restriction, the Play Store additionally flags several other APIs as “delicate,” subjecting them to a more in-depth evaluation and requiring particular person builders to justify their use. Apps utilizing the highly effective accessibility APIs, background location APIs, SMS and phone apps, and full file entry APIs are all topic to Google’s particular person approval.
Other present Play Store restrictions embrace a rolling minimal API-level coverage that mandates new and updating apps cannot use an API stage older than one yr. API ranges are the principle method Android manages backward compatibility. New restrictions and options for every model of Android usually solely apply to apps focusing on that API stage, so nothing breaks. For occasion, the permissions system solely applies to apps focusing on API stage 23 (Android 6.0) and up—older apps don’t have any permission restrictions. When used maliciously, you possibly can simply goal an historical API stage to ship an app with extra entry to the system, however the Play Store coverage to only block any submissions on older API ranges prevents this.
Today’s restriction is a superb instance: The Query_All_Packages permission was added in Android 11, so it solely applies to apps focusing on Android 11’s API stage, which is “API Level 30.” The Play Store’s restrictions, naturally, additionally solely apply to apps focusing on API stage 30 and up, which in all probability is not many apps proper now. Shortly after Android 11 is one yr previous, although (in November 2021), the Play Store will make API stage 30 the minimal API stage for updating apps, so the permission and the brand new restrictions will apply to each at the moment maintained app within the retailer.
