Google has announced another privacy restriction for Play Store apps. Starting this summer, Android 11’s new Query_All_Packages permission will be flagged as “sensitive” on the Play Store, meaning Google’s review process will restrict it to apps the company feels really need it. Query_All_Packages lets an app read your entire app list, which can contain all sorts of sensitive information, like your dating preferences, banking information, password management, political affiliation, and more, so it makes sense to lock it down.
On a support page, Google announced, “Apps that have a core purpose to launch, search, or interoperate with other apps on the device may obtain scope-appropriate visibility to other installed apps on the device.” Google has another page that lists allowable use cases for Play Store apps querying your app list, including “device search, antivirus apps, file managers, and browsers.” The page adds that “apps that must discover any and all installed apps on the device, for awareness or interoperability purposes may have eligibility for the permission.” For apps that have to interact with other apps, Google wants developers to use more scoped app-discovery APIs (for instance, all apps that support x feature) instead of just pulling the entire app list.
There’s also an exception for financial apps like banking apps and P2P wallets, which the page says “may obtain broad visibility into installed apps solely for security-based purposes.” We assume this means scanning for root apps. The new policy also states that “[a]pp inventory data queried from Play-distributed apps may never be sold nor shared for analytics or ads monetization purposes.”
Our store, our rules
Using the Play Store as a developer control surface is a fairly new tactic for Google. Sure, Google has full control over the OS and can use that control to force privacy restrictions for all apps, but when you just want to affect some apps, pushing out a Play Store app review restriction gives Google more fine-grained control over permission usage policies. The Play Store is the only universally default (except for China) Android app store, and it’s the primary place most people get apps, so Play Store rules let Google build thicker walls around its walled garden while also giving developers a chance to argue for their individual use cases. If end-users don’t like the rules, they get a sideloading and alternative-app-store escape hatch, which you wouldn’t get with an OS-based permission restriction.
Besides this app package list restriction, the Play Store also flags several other APIs as “sensitive,” subjecting them to a closer review and requiring individual developers to justify their use. Apps using the powerful accessibility APIs, background location APIs, SMS and phone apps, and full file access APIs are all subject to Google’s individual approval.
Other current Play Store restrictions include a rolling minimum API-level policy that mandates new and updating apps can’t use an API level older than one year. API levels are the main way Android manages backward compatibility. New restrictions and features for each version of Android generally only apply to apps targeting that API level, so nothing breaks. For instance, the permissions system only applies to apps targeting API level 23 (Android 6.0) and up—older apps have no permission restrictions. When used maliciously, you could just target an ancient API level to ship an app with more access to the system, but the Play Store policy to just block any submissions on older API levels prevents this.
Today’s restriction is a great example: the Query_All_Packages permission was added in Android 11, so it only applies to apps targeting Android 11’s API level, which is “API Level 30.” The Play Store’s restrictions, naturally, also only apply to apps targeting API level 30 and up, which probably isn’t many apps right now. Shortly after Android 11 is one year old, though (in November 2021), the Play Store will make API level 30 the minimum API level for updating apps, so the permission and the new restrictions will apply to every currently maintained app in the store.