Everyone knows all the apps on your phone

Original Article ↗ Hacker News Discussion ↗

Android app visibility loopholes

  • Commenters focus on Android’s ability for apps to learn what other apps are installed, including via the ACTION_MAIN intent trick that bypasses newer QUERY_ALL_PACKAGES restrictions.
  • This behavior is reported as widespread, including among big social, gaming, and banking apps, and has been publicly documented for years without being fixed.
  • Some think it’s an “oversight”; others see it as aligned with Google’s adtech incentives and inconsistent with its privacy messaging.

Legitimate uses vs privacy abuse

  • Claimed legitimate cases: launchers, file managers, antivirus, browsers/Play Store detecting if an app is installed, UPI/payment integration, scam detection via remote‑desktop/banking‑app checks.
  • Many push back that these are weak justifications: the OS and intent system could handle most of this without exposing global app lists, and UX convenience doesn’t justify large privacy loss.

Platform comparisons (Android, iOS, desktop)

  • Desktop OSes (Windows, X11 Linux) are described as far worse: almost no sandboxing, easy keylogging, screenshotting, window-title enumeration, and credential theft.
  • iOS is seen by many as more privacy‑respecting: tighter APIs for querying apps, better permission prompts, contact/photo scoping, and strong branding around privacy.
  • Dissenters note iOS closed‑source opacity, MDM visibility into personal apps, and private/undocumented APIs used by some apps.

Mitigations and alternative setups

  • Suggested mitigations:
    • Use F-Droid (open‑source, curated, explicit permission listings), though it may still miss the MAIN loophole.
    • Use GrapheneOS or work/private profiles to isolate app categories (e.g., banking vs everything else).
    • Root + LSPosed/XPrivacyLua/AppOps/HMA to spoof or hide app lists, with warnings that rooting weakens the sandbox and adds new attack surface.
    • Maintain separate phones (or profiles) for sensitive apps vs general use.

Data profiling and potential harms

  • Enumerating apps enables strong fingerprinting and profiling: religion (Qibla/mandir apps), language/region (Tamil/Odia calendars), sexuality, income level, bank choice, remote‑access tools, etc.
  • Commenters raise concerns about ad targeting, data resale, credit scoring, loan discrimination, and more extreme scenarios like political persecution or border‑control abuse.

Web vs native apps

  • Long debate over whether most apps should be web apps/PWAs:
    • Pro‑web: fewer permissions, easier ad‑blocking, less lock‑in, cross‑platform.
    • Pro‑native: better performance, offline behavior, hardware access, UX consistency, and push notifications.
  • Some argue many “apps” are just webviews built mainly to strengthen tracking, lock‑in, and store‑tax monetization.

Banking and “security” practices

  • Several banking apps reportedly:
    • Use app enumeration to block rooted or customized devices, alternate launchers, or non‑Play‑Store apps.
    • Justify this as “security,” which commenters find circular and often hypocritical, given the additional surveillance involved.