A recent research paper reports that a set of Android APIs called Installed Application Methods (IAMs) are exposing Android users’ sensitive information to advertisers. IAMs have a legitimate purpose. They were designed for developers to use to check compatibility issues when apps are launched on certain devices. However, IAMs can be abused to retrieve a list of other apps installed on the device which can help advertisers infer certain information (e.g. religion, gender, etc.)
The report uncovered the abuse by finding that more than 4,200 apps on the Google Play Store use IAMs only to recover a list of apps on the device and not for diagnostic purposes.
