from Hacker News

Everyone knows all the apps on your phone

by gniting on 3/29/25, 9:26 PM with 482 comments

by captn3m0 on 3/30/25, 2:37 AM
The ACTION_MAIN loophole has been written about before: https://commonsware.com/blog/2020/04/05/android-r-package-vi...
Google refuses to patch this. I wonder what would happen if you submit it to the Android VDP as a permission bypass.
There’s also this SO question by the author about the bypass: https://stackoverflow.com/q/79527331
by turblety on 3/30/25, 5:53 AM
I still, will never understand the need for native "Apps". To this day, I have never seen an "App" that couldn't simply have been a website/webapp. Most of them would likely be improved by being a webapp.
The only benefits I can see of "Apps", are the developer get's access to private information they really don't need.
Yeah, they get to be on the "App Store". But the "App Store" is a totally unnecessary concept introduced by Apple/Google so they could scrape a huge percentage in sales.
Web browsers have good (not perfect) sandboxing, costs no fees to "submit" and are accessible to everyone on every phone.
by aucisson_masque on 3/30/25, 4:01 PM
That's why I like hacker news.
I found this article yesterday and posted it on reddit android, here : https://old.reddit.com/r/Android/comments/1jmwg4w/everyone_k...
0 upvote, comment filled with what is either depressed sad people or just bots.
Here it's top 2... With mostly interesting comment.
Some subreddit are more dead than other but r/android got to be one of the worst.
by nindalf on 3/30/25, 6:47 AM
> Beyond the usual categories, I see there are checks for apps like Tamil Calendar, Odia Calendar, Qibla Direction Finder, mandir apps, astrology apps. They know what they’re doing.
This loan app is profiling people on the basis of race (Tamil, Odia) and religion (Qibla Direction Finder is used by Muslims, mandir apps by Hindus).
by graemep on 3/30/25, 10:32 AM
The HSBC UK Android app look s at what apps you have, and refuses to run if you have apps with certain permissions (such as an alternative launcher) and now refuses to run if you have any apps from outside the Google app store.
I have complained about this here before, but the end result was that I asked for a hardware security device and use the website instead.
by DevKoala on 3/30/25, 1:13 AM
> How is knowing whether I have the Xbox or the Playstation app installed on my phone essential to their Swiggy's core functionality? How will knowing if I have the Naukri or Upstox app help them deliver groceries to my doorstep?
It is for fingerprinting purposes
by zx8080 on 3/29/25, 11:53 PM
> For extremely specific use cases such as file managers, browsers or antivirus apps, Google grants an exception by allowing QUERY_ALL_PACKAGES permission, which provides full visibility into installed apps.
Why would browser need to enumerate the installed apps?
Why?!
by andsoitis on 3/30/25, 12:11 AM
> everyone knows all the alls on your phone
On Android phones. iPhone doesn’t have this privacy deficiency.
by Tmpod on 3/30/25, 12:46 AM
It requires root, but you can block/spoof this with an LSPosed[1] module such as XPrivacyLua[2]. I hear there's also the closed-source AppOps[3], but I've never used it.
[1]: https://lsposed.org [2]: https://github.com/M66B/XPrivacyLua / https://github.com/0bbedCode/XPL-EX [3]: https://appops.rikka.app
by cheschire on 3/29/25, 11:43 PM
Can windows apps (not installed from the MS store) enumerate through the window titles of all open windows? How hard would it be for an app to monitor all of your web traffic based on the title alone?
Legit question. ChatGPT isn't super helpful here since it agrees with everything when I'm really looking for someone to say why this isn't really feasible in the real world.
by hnburnsy on 3/30/25, 3:38 AM
>For extremely specific use cases such as file managers, browsers or antivirus apps, Google grants an exception by allowing QUERY_ALL_PACKAGES permission, which provides full visibility into installed apps.
'Extreme' my a*. My bank app has this permission, as well as my camera app, contacts app, clock app, Google Home, and on and on. My bank app was moved to an old iPad because of this.
by weinzierl on 3/30/25, 8:42 AM
"the one that blue tick twitter accounts living in certain pin codes of Bengaluru passionately discuss amongst themselves for a week every year"
To someone embarrassingly unfamiliar with Indian culture, what does it mean?
by surmoi on 3/30/25, 10:27 AM
Exodus Privacy will let you know about this kind of Android apps you should avoid installing https://exodus-privacy.eu.org/
Swiggy is actually a small player in terms of permissions requested, with 'only' 47 Compare it to Weibo with 104, Wechat with 93, Facebook with 85, Snapchat with 71 (granted those apps may offer additional services that require some additional permissions, but they are definitely not worth giving them all your data...)
by turrini on 3/30/25, 12:35 PM
I don't know if it is just me but I run every class of app in isolated "islands" (like work profiles) on Android. Browsers, banking apps, social media, instant messaging, tools, etc. Almost everything is isolated from another non related group.
by einszwei on 3/29/25, 11:31 PM
Just wow. I assumed that Google patched this few years back but guess they left a few backdoors.
by solardev on 3/30/25, 1:03 AM
Privacy issues aside, it's kinda cool reading about how Indians use their phones, and also how they use English. I'd never heard "beyond the pale" before, and I'm still not sure what the idea of "multiple Indias" means when some of them are Mexico and some are Africa...?
I've also never heard of the majority of the apps being analyzed or tracked. Must be such a different world out there.
by photonthug on 3/30/25, 6:51 AM
> It's worth acknowledging that there are some legitimate reasons for an app to check which other apps are installed on your phone. For example, an app might check which UPI apps are installed to show relevant payment options.
Nope! Nope, nope, nope. If you're wondering how we got into this situation.. well, it's exactly stuff like this. Weird to see someone who's digging into it at all also making excuses for it.
No one ever said "I want to avoid a single extra click once every other month, so I guess I better irrevocably open my data/phone/life up completely to megacorp forever". And they certainly did not say this about tinycorp. People just absolutely suck at adversarial thinking, and good guys need to do it for them before bad guys can. Do you want organized crime blackmailing your politicians about dating apps and infidelity? Do you want to make it easy to do large scale targeting of ${vulnerable_people} the next time the cultural or political climate shifts?
Come on. Anyway shouldn't the phone OS itself handle this rather than apps launching apps?? If not.. just let people pick a payment option, and then throw an error if the option is not available.
by djrj477dhsnv on 3/30/25, 3:57 AM
Anyone know if GrapheneOS has protection against this?
by rkagerer on 3/29/25, 11:40 PM
Can you see in the Play store before installing an app exactly which other apps it's allowed to talk to? Can you see it on your phone and override?
by therealmarv on 3/30/25, 6:38 PM
It's a known fact in the rooting community because some banking apps searching for root only apps!
If you root (I advice against doing that) and have LSPosed installed you can hide apps to be seen by every other app with Hide My Applist (HMA) [1] or HMAL (which I like more because it is more minimalistic) [2]
[1] https://github.com/Dr-TSNG/Hide-My-Applist
[2] https://github.com/pumPCin/HMAL
by Yaggo on 3/30/25, 7:18 AM
The title should read: "Everyone knows all the apps on your Android phone"
by RKFADU_UOFCCLEL on 3/30/25, 2:48 PM
This is to be expected though, a phone platform isn't exactly Tor Browser. The big API as with any platform will have plenty of ways to fingerprint people even without this one example, unless the developers went far out of their way from the beginning to build prevention in. Much like how on UNIX you can see what processes everyone is running and their command lines.
by bustling-noose on 3/30/25, 4:58 AM
Very simple:
Big companies like Swiggy and Zepto will mine the F out of your data. Some of it is for their benefit but some of it they could sell in the future. These so called founders are really just another wolf of app street looking to pump and dump. So when they do dump, or when some VC comes with money, they don’t just sell their app they sell it as a whole package of data and analytics that some company can use to sell their product or something VC can leverage to sell their stock to someone else. It’s not that difficult.
As far as smaller apps go these apps outsource their development to people who come with ‘packages’ to develop and maintain their app. These packages are the same logic as above but it’s just that they come from some template so you might be asked for location permission or camera or microphone by some really random app that has nothing to do with it.
While the quality of iOS is degrading, some of these things are really important and simply work better on iOS.
by DeathArrow on 3/30/25, 8:06 AM
>Please remember the next time you casually install an app on your Android device, this information is being broadcast to the whole world. Data brokers will use it to profile you, cross-reference it with data about you from other ad networks and eventually it will be used to decide how much you’ll be asked to pay the next time you order a samosa.
Who are those data brokers? Are they publicly known? Do they have an API where a business sends customer ID, mail or something and get an spending profile that helps adjusting price for a particular customer?
I know this sounds evil. But didn't banks and insurance companies collaborate to profile their customers since tens of years ago? That is not similarly evil?
by amelius on 3/29/25, 11:28 PM
> I don’t even know where to begin unpacking this madness. How is knowing whether I have the Xbox or the Playstation app installed on my phone essential to their Swiggy's core functionality?
Probably has to do with feeding adtech's hunger for personal information, or fingerprinting maybe (not sure if that's a thing in the context of phone apps).
by avsteele on 3/30/25, 12:23 AM
If they just audited apps and banned companies from the app store for abuse it would do a lot to curb this behavior. This is feasible, there just aren't THAT many popular apps at any given time.
by BGizzle on 4/9/25, 6:48 AM
Everyone knows all the apps on your Android phone
by TekMol on 3/30/25, 11:40 AM
```
    So I downloaded a few dozen Indian apps
    I could think of on top of my head and
    started reading their manifest files
```
How do you download apps from the Android app store and read their manifest files?
Does this mean one could make a website that lists all those manifest file, so the users could decide against using apps that use this loophole?
by nsonha on 3/31/25, 3:57 PM
Android is so broken, each app query should be explicitly approved by user, instead of by reviewer like this.
by Tewboo on 3/30/25, 11:20 AM
It's true, our phones are like little windows into our lives. The apps we have reflect our habits and interests.
by HackerThemAll on 3/30/25, 9:03 PM
Thank you Google's "top talent" Android devs for this permission system full of loopholes.
by OutOfHere on 3/29/25, 11:28 PM
If Google truly cared about privacy, each app would run in its own strict jail, and permissions would be faked by default. Also, easy malware by Israel or anyone else would not be a thing. As it stands, apps know everything I am doing, and I get targeted spam email rather immediately.
by bloomingeek on 3/30/25, 2:12 PM
Perhaps crazy question: is it a good idea to have two phones now? One for making calls only, with as many apps as possible removed. And another phone for email, web surfing, photos, etc...?
edit: Oops, I left out texting. Which phone for that?
by nickvec on 3/30/25, 4:13 AM
Just curious, why was this targeted specifically at Indian apps?
by dTal on 3/29/25, 11:46 PM
Another fantastic reason to strictly only install apps from F-Droid.
by aussieguy1234 on 3/31/25, 3:26 AM
If I have Uber, but multiple competing apps on my phone and I grant Uber permissions to see that, will I get cheaper rides?
by marcodiego on 3/30/25, 12:31 AM
Well, things are particularly more complicated on my case: I don't use google services and only install apps from f-droid.
by anonym29 on 3/30/25, 1:00 PM
You don't have to sacrifice your privacy to use Android. GrapheneOS is a tremendous alternative, and even if you still need some Play Store applications, you can install a GMS compatibility layer and Play Store in either a secondary profile (recommended) or your main profile (not recommended) without granting Google unfettered control over your entire operating system. This compatibility layer offers a better reduction in attack surface and stronger hardening than microG.
Alternatively, you can continue with the standard setup, accepting that you’re willingly providing companies with an unprecedented level of access to your personal data. It’s puzzling that many seem more concerned about breaking a familiar routine than about the risks associated with sharing every detail of their lives with companies that, in turn, share that data with one (or more) hostile government(s).
There is certainly a lot of justified concern about government overreach and abuse of power on HN. It remains difficult to understand why many with these warranted concerns do nothing to adopt a more coherent and rational approach — such as merely attempting to protect their personal data by not deliberately and voluntarily feeding it entirely to companies that are secretly coordinating with the very same hostile governments these people claim to seriously fear and detest.
by smallnix on 3/29/25, 11:22 PM
Nice analysis. Google should take notice. Do worldwide used apps do this too?
by 6510 on 3/30/25, 5:00 AM
If nothing is done why not require competing apps be uninstalled?
by zer0zzz on 3/30/25, 6:00 AM
My solution to this is to use the apps that come with my phone and avoid relying on anything else. Problem solved. I use signal, uber, MyChart (for my doctor), and some apps for banking but that is about it.
by ErigmolCt on 3/30/25, 9:53 AM
This is equal parts fascinating and horrifying
by anymouse123456 on 3/30/25, 1:55 PM
IME, Apps usually represent an overly generous amount of contempt for the people who use them.
At best, it's a designer's hubris (mixed with contempt) like, "You want to select some text out of your SMS message? I've decided. NOPE."
But mostly we're treated with contempt simply because we're an annoyance that is obstructing the goal of serving the actual customer (advertiser) who is paying for the work.
App Stores are no mystery. They are a funnel for rent-seekers and adtech info brokers.
If you think they are intended to benefit you in any way at all, you are badly mistaken.
by zkiihne on 3/30/25, 6:33 PM
I used QUERY_ALL_PACKAGES among other things for my app Limit Buddy (https://www.limitbuddy.com). It would be impossible to make the app without it. But for more normal use cases there's no reason to have it.
Apple has a much more robust solution privacy wise with their ScreenTime API but it makes an app like Limit Buddy much harder to build.
by tmtvl on 3/30/25, 9:56 AM
...On Android. I'm sure I don't have that problem on my Ubuntu Touch phone (if only because there are hardly any apps for it).
by whalesalad on 3/30/25, 7:22 PM
android* phone
by daft_pink on 3/30/25, 5:34 AM
iPhone users reading this like…. I love my iPhone.
by DeathArrow on 3/30/25, 8:07 AM
TLDR, want privacy, don't use Google products.
by bpbp-mango on 3/30/25, 11:15 AM
android lmao
by billfruit on 3/30/25, 2:52 AM
Some apps like Obsidian needs permission to access every file on the device. It is surprising Obsidian isn't getting called out on that very much.