←back to thread

Everyone knows all the apps on your phone

(peabee.substack.com)
1192 points gniting | 5 comments | 29 Mar 25 21:26 UTC | HN request time: 0.972s | source
Show context
dTal ◴[29 Mar 25 23:46 UTC] No.43519791[source]
Another fantastic reason to strictly only install apps from F-Droid.
replies(2): >>43519959 #>>43521143 #
JohnFen ◴[30 Mar 25 00:22 UTC] No.43519959[source]
How does that address the problem? Does F-Droid do some sort of additional screening to keep out apps that do this?
replies(2): >>43520038 #>>43520090 #
dandersch ◴[30 Mar 25 00:44 UTC] No.43520090[source]
packages on f-droid list all required permissions explicitly, and the mentioned permission seems to be listed as "query all packages: Allows an app to see all installed packages.". It doesn't mark the app as having "anti-features", but you can at least make a more informed decision this way.
replies(2): >>43520186 #>>43521191 #
1. JohnFen ◴[30 Mar 25 00:58 UTC] No.43520186[source]
That's pretty cool, but the article says that most apps that are doing this sort of thing aren't using the query all packages permission and instead are using the facility to provide a specific list of apps they're checking for, which is not permission-gated.
replies(1): >>43520962 #
2. wkat4242 ◴[30 Mar 25 03:16 UTC] No.43520962[source]
It is. It specifically says that the apps must be declared in the manifest like other permissions. So it's a specific permission for each app really. F-Droid could query that if it wants to (not sure if it does)
replies(1): >>43521838 #
3. throwaway290 ◴[30 Mar 25 06:27 UTC] No.43521838[source]
Did you stop reading before the post got to the MAIN loophole that doesn't require the list of apps in the manifest? How does F-droid describe MAIN?
replies(1): >>43523164 #
4. wkat4242 ◴[30 Mar 25 10:59 UTC] No.43523164{3}[source]
Yeah I did as the article was a bit long. But I'm sure this is detectable too as it must be in the manifest.
replies(1): >>43525994 #
5. throwaway290 ◴[30 Mar 25 17:45 UTC] No.43525994{4}[source]
The article already showed it is detectable. But it is not detected by Google and I am unclear if F-Droid detects it either...