In its latest update on Developer Program Policy, Google announced that it restricts the use of high risk or sensitive permissions, including the QUERY_ALL_PACKAGES permission, which allows developers to access the list of installed apps on an Android device. The initiative is an outcome of misuse actions by threat actors using the permission to view users’ sensitive information such as financial data and political interests. According to the update, developers with QUERY_ALL_PACKAGES permission have until July 12, 2022, to meet the following requirements:
- Permitted uses: To use this permission, the app must fall within permitted uses, which involve apps that must discover the installed apps on the device for awareness or interoperability purposes(e.g., device search, antivirus apps, file managers, and browsers). In addition, the app must have a core purpose for searching the apps on the device, meaning the developer shall adequately justify that a less intrusive method of app visibility shall not sufficiently enable the app’s core functionality.Google may provide a temporary exception to the apps that do not qualify as permitted uses designated above: Apps with a verifiable core purpose involving financial-transaction functionality (e.g., dedicated banking and digital wallets) may obtain broad visibility into installed apps solely for security-based purposes.
- Declaration Form: filling out the relevant permission declaration in the Play Console. The declaration involves explaining why a “core feature” of the app requires the permission, with both a written description and a short video demonstration.
According to Google, the following apps will not be allowed to request the QUERY_ALL_PACKAGES permission:
- Where the use of the permission is not directly related to the core purpose of the app. For example, Peer-to-Peer (‘P2P’) sharing must be the core purpose of the app in order to qualify as a permitted use.
- When the data is acquired for the purpose of sale.
- When the data queried from Play-distributed apps are intended to be sold or shared for analytics or ads monetization purposes.
- When the required task can be done with a less broad app-visibility method.
Please note that apps that fail to meet the policy requirements or do not submit a declaration form may be removed from the Google Play marketplace. In addition, if the use of restricted permissions within the app is changed, the declaration must be revised with updated and accurate information. Deceptive and non-declared uses of these permissions may result in a suspension of the app and termination of the developer account.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as setting out binding legal advice but rather as a practical overview that is based on our understanding. APM & Co. is not licensed to practice law outside of Israel.
APM Technology and Regulation Team.