Most active commenters

    ←back to thread

    Everyone knows all the apps on your phone

    (peabee.substack.com)
    1192 points gniting | 15 comments | 29 Mar 25 21:26 UTC | HN request time: 0s | source | bottom
    Show context
    zx8080 ◴[29 Mar 25 23:53 UTC] No.43519828[source]
    > For extremely specific use cases such as file managers, browsers or antivirus apps, Google grants an exception by allowing QUERY_ALL_PACKAGES permission, which provides full visibility into installed apps.

    Why would browser need to enumerate the installed apps?

    Why?!

    replies(6): >>43519852 #>>43519860 #>>43521776 #>>43522253 #>>43522261 #>>43522492 #
    1. Borealid ◴[29 Mar 25 23:58 UTC] No.43519852[source]
    When a user visits a play.google.com URL Google wants to be able to show either an "install" or a "launch" button contingent on whether the app is already installed.

    In other words, blame Google product management.

    replies(5): >>43519879 #>>43520058 #>>43520420 #>>43521123 #>>43521423 #
    2. lurking_swe ◴[30 Mar 25 00:03 UTC] No.43519879[source]
    this doesn’t make sense and sounds like an excuse IMO.

    Instead of the browser enumerating all apps, why can’t it check when you visit a page if the current page (ONLY the current page) is installed as an app?

    replies(1): >>43519892 #
    3. jerbear4328 ◴[30 Mar 25 00:07 UTC] No.43519892[source]
    How would the OS know if the app that the browser is querying about is actually the current page? For all the OS knows, the user might be quickly visiting a ton of play.google.com pages for the top 1000 apps on the app store.
    replies(2): >>43520010 #>>43520082 #
    4. heavenlyblue ◴[30 Mar 25 00:30 UTC] No.43520010{3}[source]
    make it into a system dialog?
    replies(1): >>43520054 #
    5. LordShredda ◴[30 Mar 25 00:37 UTC] No.43520054{4}[source]
    But God forbid users learn how to use their device. All of this could be prevented by having the users manually pick the application instead.
    6. catigula ◴[30 Mar 25 00:38 UTC] No.43520058[source]
    A minor UX difference doesn't really feel like a great case for reducing user privacy, it makes me a little concerned about priorities... which I already was, really.
    7. lurking_swe ◴[30 Mar 25 00:43 UTC] No.43520082{3}[source]
    > How would the OS know if the app that the browser is querying about is actually the current page?

    Maybe i’m missing something, but it sounds like it would be easy for google to support this functionality by letting developers configure this in their app “bundle”. A property that tells the OS “my app is related to domain example.com”. Make it an array of domains if you must.

    replies(2): >>43520655 #>>43520866 #
    8. Jach ◴[30 Mar 25 01:33 UTC] No.43520420[source]
    I don't buy this. Google has this information on their backend, they don't need to query any local state. Indeed, when I visit a play.google.com URL, google checks if my browser is logged in or not. If it is not, the default is "Install" no matter what. If I do have a session, then it's either "Install" if I don't have it installed, or "Install on more devices" if I do have it installed.
    replies(1): >>43524464 #
    9. charcircuit ◴[30 Mar 25 02:18 UTC] No.43520655{4}[source]
    Intent filters can be for domains. It's how deeplinks work. But with querying being locked down you can't know what apps can handle a deeplink.
    10. codethief ◴[30 Mar 25 02:59 UTC] No.43520866{4}[source]
    > A property that tells the OS “my app is related to domain example.com”. Make it an array of domains if you must.

    Elaborating on the sibling's comment: There is already such a property that apps must set in their manifests in order for them to be able to react to links/intents for domain-associated-with-the-app.com.

    But it doesn't address the question of how a browser is supposed to be able to open links to domain-associated-with-the-app.com in that app, without Android revealing to the browser whether the app is installed or not. In short: The browser will, by construction, be able to determine which apps you've got installed or not.

    replies(1): >>43521605 #
    11. ◴[30 Mar 25 03:44 UTC] No.43521123[source]
    12. kelvinjps10 ◴[30 Mar 25 04:44 UTC] No.43521423[source]
    These kind of links open the play store app directly and the informstion it's displayed there
    13. pizza ◴[30 Mar 25 05:31 UTC] No.43521605{5}[source]
    I mean, do Windows or macOS tell the browser which mail apps you have installed when it handles a mail:// URI?
    replies(1): >>43521626 #
    14. josephg ◴[30 Mar 25 05:37 UTC] No.43521626{6}[source]
    No, but web browsers do have the ability to ask the OS which application is associated with a certain url type.

    But it doesn’t leak that information to web pages.

    15. NoahZuniga ◴[30 Mar 25 14:25 UTC] No.43524464[source]
    This is true, but if they didn't allow this permission for other browser apps that would be anti-competitive.